Converting Windows 10 Legacy BIOS to UEFI Secure Boot without a Recovery Partition

UEFI provides a number of features including Secure Boot that minimizes risk of rootkits and creates a chain of trust from the firmware all the way to the loading of third-party kernel modules.

UEFI and Secure Boot are enabled by default in new Windows 10 installations. In my case, however, I upgraded from Windows 7 so my instance of Windows 10 uses a Master Boot Record (MBR) partition scheme and Legacy BIOS firmware.

I’m running my copy of Windows 10 in a virtual machine using VMWare Fusion on macOS, so I started by creating a snapshot. We’ll first need to convert the partition table from MBR to GPT, then change the VM settings to use UEFI firmware and Secure Boot.

A Windows 10 installation partitions a disk similar to the following:

--------------------------------------------------------------
| System   | C:\                                 | Recovery  |
| Reserved |                                     | Partition |
| 100 MB   |                                     |           |
--------------------------------------------------------------

Since I’m running Windows 10 in a virtual machine, at some point I needed to increase my hard disk size. In order to extend the C:\ partition to make use of the additional hard disk space I deleted the recovery partition. If you still have your recovery partition this process becomes a lot smoother for you.

If you’re like me, however, and you don’t have a recovery partition, running mbr2gpt /validate /allowfullos will fail with error Cannot find OS partition(s) for disk 0. This error occurs because mbr2gpt reads from the Boot Configuration Data Store (BCD) and the Windows Boot Loader’s recovery sequence was pointing to the Windows Recovery Environment that I previously deleted.

>reagentc /info
Windows Recovery Environment (Windows RE) and system reset configuration
Information:

Windows RE status:         Disabled
    Windows RE location:
    Boot Configuration Data (BCD) identifier: 397d4d8c-7a2c-11ea-8093-d4786173a704
    Recovery image location:
    Recovery image index:      0
    Custom image location:
    Custom image index:        0

REAGENTC.EXE: Operation Successful.

Note the BCD identifier. Looking at the BCD store the problem becomes obvious:

>bcdedit /enum /v

Windows Boot Manager
--------------------
identifier              {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default                 {79a0819d-7a34-11ea-b90e-fc693f2aa635}
resumeobject            {79a0819c-7a34-11ea-b90e-fc693f2aa635}
displayorder            {79a0819d-7a34-11ea-b90e-fc693f2aa635}
toolsdisplayorder       {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout                 30

Windows Boot Loader
-------------------
identifier              {79a0819d-7a34-11ea-b90e-fc693f2aa635}
device                  partition=C:
path                    \WINDOWS\system32\winload.exe
description             Windows 10
locale                  en-US
inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence        {397d4d8c-7a2c-11ea-8093-d4786173a704}
displaymessageoverride  Recovery
recoveryenabled         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \WINDOWS
resumeobject            {79a0819c-7a34-11ea-b90e-fc693f2aa635}
nx                      OptIn
bootmenupolicy          Standard

Note the recoverysequence attribute. That’s the same GUID. To delete the entry:

>bcdedit /delete {397d4d8c-7a2c-11ea-8093-d4786173a704}
The operation completed successfully.

>bcdedit /enum /v

Windows Boot Manager
--------------------
identifier              {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default                 {79a0819d-7a34-11ea-b90e-fc693f2aa635}
resumeobject            {79a0819c-7a34-11ea-b90e-fc693f2aa635}
displayorder            {79a0819d-7a34-11ea-b90e-fc693f2aa635}
toolsdisplayorder       {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout                 30

Windows Boot Loader
-------------------
identifier              {79a0819d-7a34-11ea-b90e-fc693f2aa635}
device                  partition=C:
path                    \WINDOWS\system32\winload.exe
description             Windows 10
locale                  en-US
inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
displaymessageoverride  Recovery
recoveryenabled         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \WINDOWS
resumeobject            {79a0819c-7a34-11ea-b90e-fc693f2aa635}
nx                      OptIn
bootmenupolicy          Standard

Great, so the erroneous entry is gone. Time to try the conversion again:

>mbr2gpt /validate /allowfullos
MBR2GPT: Attempting to validate disk 0
MBR2GPT: Retrieving layout of disk
MBR2GPT: Validating layout, disk sector size is: 512 bytes
MBR2GPT: Validation completed successfully

>mbr2gpt /convert /allowfullos
If conversion is successful the disk can only be booted in GPT mode.
These changes cannot be undone!

MBR2GPT: Attempting to convert disk 0
MBR2GPT: Retrieving layout of disk
MBR2GPT: Validating layout, disk sector size is: 512 bytes
MBR2GPT: Trying to shrink the OS partition
MBR2GPT: Creating the EFI system partition
MBR2GPT: Installing the new boot files
MBR2GPT: Performing the layout conversion
MBR2GPT: Migrating default boot entry
MBR2GPT: Fixing drive letter mapping
MBR2GPT: Conversion completed successfully
Call WinReReapir to repair WinRE
MBR2GPT: Failed to update ReAgent.xml, please try to  manually disable and enable WinRE.
MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode!

The WinRE error is expected since I obviously don’t have that enabled. I shut down the VM,changed to the VM firmware type to UEFI, enabled UEFI Secure Boot, and enabled Virtualization Based Security (I’m using VMware Fusion) and it started right up without a hitch!

VMWare Fusion Advanced Settings dialog box