In the world of computing, the way we store and manage data is constantly evolving. One such significant change is the transition from the traditional Master Boot Record (MBR) system to the more modern GUID Partition Table (GPT) system. While both serve the critical function of telling our systems where data is stored and how to boot, GPT brings a host of advantages over its predecessor, from supporting larger disk sizes to improved data corruption handling.

But GPT’s benefits don’t end at handling data better. When paired with Unified Extensible Firmware Interface (UEFI) and its secure boot feature, GPT becomes a key player in enhancing system security. UEFI, a replacement for the older BIOS system, offers features like faster boot times and a graphical user interface. Its secure boot feature adds a robust security layer to protect against bootkit and rootkit attacks.

This blog post aims to guide you through the process of upgrading from MBR to GPT and enabling UEFI with secure boot. By the end, you’ll have a clear understanding of why this transition is beneficial and how you can accomplish it on your own. Remember, as with any significant system change, it’s essential to back up your data before proceeding.

Understanding MBR and GPT

Before delving into why an upgrade from MBR to GPT is beneficial, let’s take a moment to understand what these systems are and the roles they play.

Master Boot Record (MBR)

MBR is one of the oldest disk partitioning schemes, dating back to the early days of personal computers. When a computer boots up, it reads the MBR to determine where the operating system is located and how to load it.

However, MBR does come with limitations. It can only support disks up to 2TB in size, and it can manage a maximum of four primary partitions. While this was sufficient during the era of smaller hard drives, it’s a considerable disadvantage in today’s world of large-capacity storage devices

GUID Partition Table (GPT)

GPT, or GUID Partition Table, is a more modern partitioning scheme that addresses many of MBR’s shortcomings. It’s a part of the UEFI standard and is designed to work with larger, modern storage devices.

GPT supports disks larger than 2TB and allows for more than 128 primary partitions in Windows, making it a significant upgrade from MBR. Moreover, GPT offers better data protection. It stores multiple copies of the partitioning and boot data across the disk and can correct errors it finds in the partition table. Additionally, GPT uses a universally unique identifier (UUID) for each partition, which ensures that each partition on every disk in the world has a unique identifier.

In conclusion, while MBR served its purpose in its time, GPT provides more scalability and reliability for modern systems. The transition from MBR to GPT is more than just a routine upgrade; it’s a necessary shift to handle modern computing demands effectively.

Role of UEFI and its advantages over BIOS

As we move towards modernized computing systems, replacing BIOS (Basic Input/Output System) with UEFI (Unified Extensible Firmware Interface) is becoming increasingly common. To fully comprehend why it’s advantageous, we need to understand what each of these systems does.

BIOS

BIOS is a small piece of software stored on a chip on your computer’s motherboard. It’s the first software that runs when you turn on your computer. BIOS initializes your hardware and then loads the operating system from your hard drive to start the boot process.

However, BIOS has its limitations. For instance, it can only boot from drives of up to 2TB in size, it lacks a graphical user interface, and it has slower boot times. Additionally, BIOS isn’t inherently designed to handle modern hardware and computing needs.

UEFI

Unified Extensible Firmware Interface (UEFI), on the other hand, was developed to overcome the limitations of BIOS. While UEFI performs the same fundamental function—initializing your hardware and booting your operating system—it does so with added efficiency and flexibility.

UEFI supports booting from drives larger than 2TB, aligning with GPT’s ability to handle larger disk sizes. UEFI also boots faster due to its design and optimization for modern systems. It comes with a user-friendly interface that can be navigated with a mouse, unlike BIOS, which is entirely keyboard-based.

Furthermore, UEFI offers more advanced features, including network capabilities for remote troubleshooting and updates, compatibility support modules for BIOS, and secure boot to protect against malware that tries to infect the boot process.

The most significant advantage of UEFI is its secure boot feature. Secure boot helps to prevent malicious software and unauthorized operating systems from loading during the system start-up process, enhancing the overall security of your system.

In conclusion, UEFI, with its modern features and capabilities, not only aligns with today’s hardware and software advancements but also lays the foundation for secure and efficient systems. Coupling UEFI with GPT, as opposed to the antiquated BIOS and MBR, unlocks a range of benefits that are becoming increasingly necessary in today’s digital age.

Enhancing system security with UEFI’s secure boot

In our digitally connected world, system security is not just a luxury—it’s a necessity. Malware is continually evolving, with new threats emerging daily. Fortunately, advancements in technology have brought about powerful mechanisms to safeguard our systems. One such mechanism is the secure boot feature of UEFI.

Understanding secure boot

Secure boot is a feature found in the UEFI firmware settings that helps to ensure that your PC boots using only software that is trusted by the manufacturer. This added layer of security is designed to prevent low-level malware threats, such as rootkits and bootkits, that start their infectious processes even before the operating system boots up.

When secure boot is enabled, the firmware checks the digital signature of each piece of boot software, including firmware drivers and the operating system itself. If any of these are unsigned or signed with a key not recognized by the firmware, the firmware will block their execution. This means that even if a piece of malware manages to get onto your PC, it won’t be able to hide in the boot path or tamper with your operating system.

Enhanced security with secure boot

By validating the boot process in this manner, secure boot significantly enhances the security of your system. It provides a strong defense against boot-time malware, preventing such threats from gaining a foothold in your system.

It’s worth noting that secure boot doesn’t replace an antivirus or other security measures. Instead, it provides an additional layer of protection against sophisticated threats that other security measures might miss.

Moreover, secure boot plays an essential role when used in combination with other security features available in Windows, such as BitLocker and Windows Defender System Guard. These comprehensive security measures work together to create an integrated, robust defense against a variety of threats.

While secure boot does increase security, it can also cause compatibility issues with older hardware and software that aren’t designed to handle its checks. Therefore, while it’s generally recommended to enable secure boot, it’s essential to consider your specific hardware and software needs.

In conclusion, UEFI’s secure boot is a powerful tool for enhancing system security. When used with a GPT disk and in combination with other security measures, it can help create a resilient defense against a range of sophisticated malware threats.

A step-by-step guide to upgrading from MBR to GPT

Now that we have established the reasons to transition from MBR to GPT and the benefits of enabling UEFI with secure boot, it’s time to walk you through the process. We will be using Hyper-V for demonstration purposes, but the core steps can be applied generally, given the right environment.

The process involves preparing an environment to boot Windows Preinstallation Environment (WinPE) using the Windows Assessment and Deployment Kit (ADK). We will then boot from the created ISO file and modify the system offline, which will allow us to enable UEFI and secure boot.

This process is not overly complex, but it does require some technical knowledge and care. Always remember that working with a system’s boot settings is a sensitive task, and as such, you should back up any valuable data before proceeding.

Let’s walk through each step of the process…

Installing the ADK and WinPE

To prepare the environment for the transition from MBR to GPT, we’ll need to install two essential tools provided by Microsoft: the Assessment and Deployment Kit (ADK) and the Windows Preinstallation Environment (WinPE). ADK is a collection of tools that you can use to customize, assess, and deploy Windows operating systems to new computers. On the other hand, WinPE is a small operating system used to install, deploy, and repair Windows.

In this tutorial, we’ll install these tools on Windows 11 using the Windows Package Manager, also known as winget, a free package manager designed for Windows.

Install Winget

When you’re using Windows 10 you will need to install WinGet First, In Windows 11 it’s already available. You can download it from the GitHub repository. After the download is complete, you can install it by double-clicking on the .appxbundle file.

Install ADK

To install ADK, open the Windows Terminal or Command Prompt as an administrator. In the command line, type the following:

winget install --id=Microsoft.WindowsADK --exact

Note! It’s a fairly lengthy process, give it time to download and install.

Install WinPE

Next, we’ll install the WinPE addon. In the same command line window, type:

winget install --id Microsoft.ADKPEAddon --exact

Creating a default WinPE media

Once we have ADK and WinPE installed, the next step is to create a WinPE bootable media. WinPE is a lightweight version of Windows used for the deployment of PCs, workstations, and servers. It’s perfect for our task because it allows us to manipulate the disk structure outside of the full Windows environment. Here’s a step-by-step guide on how to create a WinPE media.

Step 1: Create a working copy of WinPE

Before you can create bootable WinPE media, you need to create a working copy of WinPE. You can do this by using the ‘copype’ command, which is a script that comes with WinPE.

First, from the start menu open the “Deployment and Imaging Tool Environment” Command shell as an administrator.

Next, type the following command:

copype amd64 C:\WinPE_amd64

This command creates a new directory at “C:\WinPE_amd64” with all the necessary WinPE files.

Step 2: Create bootable media

Now, we’re going to create the bootable media. In this guide, we’re creating a bootable ISO media, but you could also create a USB or a PXE bootable media.

Still, in the Command Prompt, type the following command:

MakeWinPEMedia /ISO C:\WinPE_amd64 C:\WinPE_amd64\WinPE_amd64.iso

This command creates an ISO file at C:\WinPE_amd64\WinPE_amd64.iso that you can burn to a DVD or mount in a virtual machine.

And that’s it! You now have a bootable WinPE media that you can use to boot your system and perform the disk partitioning tasks necessary to upgrade from MBR to GPT.

Identifying non UEFI virtual machines

Before we proceed with upgrading from MBR to GPT, it’s crucial to identify the virtual machines (VMs) that are still using MBR disks and thus, relying on BIOS to boot. We will cover how to do this both on Hyper-V and VMware hosts.

Hyper-V

In Hyper-V, VMs using BIOS belong to Generation 1, whereas VMs using UEFI are part of Generation 2. Therefore, you can identify VMs that are still using BIOS by their generation number.

To find the generation of all VMs on a Hyper-V host, you can use the following PowerShell command:

Get-VM | select vmname, generation

This command lists all VMs along with their generation number.

If you need to find this information from within the VM itself, you can use the ‘firmware_type’ environment variable in PowerShell. Open a PowerShell window and enter the following command:

$env:firmware_type

If the output is UEFI, the VM is using UEFI as its firmware interface. If the output is Legacy, the VM is using BIOS.

Keep in mind that this command must be run within the VM whose firmware interface you want to determine.

VMware

In VMware, the boot firmware is specified in the VM’s settings. However, there isn’t a direct command to list the boot firmware for all VMs from the ESXi host’s command line. You will have to check each VM’s settings individually in the vSphere Client.

Alternatively, you can use the PowerCLI module for PowerShell to remotely query this information from a VMware host:

Get-VM | Select Name, @{N='Boot Firmware';E={($_ | Get-VMGuest).ExtensionData.Config.Firmware}}

Booting from WinPE and converting the disk to GPT

Once you have your bootable WinPE ISO file ready and have identified the VMs using MBR disks, it’s time to proceed with the actual conversion.

Step 1: Booting from WinPE

Start your target VM and boot it from the WinPE ISO file. In Hyper-V, you can do this by going into the settings of the VM, selecting the DVD Drive under Hardware, and browsing to the location of the WinPE ISO file. Make sure the VM is set to boot from the DVD Drive.

Once you’ve booted into WinPE, you’ll be presented with a Command Prompt.

Step 2: Identify the disk

Before you can convert the disk, you need to identify it. This is an important step, as Mbr2Gpt tool requires the disk number in its commands. In the Command Prompt, type the following command to launch DiskPart, a built-in disk management tool:

diskpart

Once DiskPart is running, use the following command to list all disks and determine where Windows is boot from.

list disk
list volume
select volume #number of the windows volume
detail partition #07 means NTFS
exit

Find your target disk in the list. It’s usually Disk 0 for a typical VM with one disk. Look for a disk that contains 3 partitions, a 100MB “System Reserved”, a 500 MB+ hidden partition and a larger one where Windows is installed. The diskpart command “detail partition” reveals the file system type. Look for type “07“, which means NTFS. Take note of the disk number, as you’ll need it for the following steps.

Step 3: Validate the disk

Before proceeding, it’s a good idea to validate that the disk is suitable for conversion. Use the Mbr2Gpt tool with the /validate switch:

mbr2gpt /validate /disk:0

Replace ‘0’ with your target disk number if it’s different. The tool will check the disk and report any issues that might prevent the conversion.

Step 3: Convert the disk

Now you can convert the disk. This operation does not cause data loss as the tool is designed to convert the disk layout while keeping the existing data on the disk intact. Use the following command:

mbr2gpt /convert /disk:0

Again, replace ‘0’ with your target disk number if it’s different.

And that’s it! Your disk is now using GPT instead of MBR, and the next time you boot your system, it should use UEFI instead of BIOS.

Please do not attempt to restart your system at this stage!

Important notice post conversion

After running the “mbr2gpt /convert” command, you might see a warning message that reads:

Before the new system can boot properly you need to switch the firmware to boot to UEFI mode!

This warning message is normal and it’s very important. The disk has been converted to GPT, but your system is still set to boot in BIOS (or legacy) mode. If you attempt to boot your system now, it will fail to start up properly because BIOS cannot boot from a GPT disk.

In the next chapter, we will cover how to switch your system firmware to UEFI mode, ensuring a smooth boot process with your newly converted GPT disk. So, hold tight and let’s proceed to the next important step.

Tip! Use the command, “wpeutil shutdown” to turn off the machine.

Switching VMware virtual machines to UEFI mode

Now that we’ve converted our disk to GPT using the Mbr2Gpt tool, the next step is to change the firmware of our VMware virtual machine from BIOS to UEFI. It’s important to note that this step should be performed while the virtual machine is powered off. Let’s walk through this process:

After powering off the VM, open the VM settings. In the VM’s settings, navigate to the ‘VM Options’ tab. Under ‘Boot Options’, you will find the ‘Firmware’ setting. Here, you can switch from ‘BIOS’ to ‘EFI’.

Select ‘UEFI’ and make sure the ‘secure boot’ box is checked. This will enable UEFI with secure boot, providing additional security benefits.

Switching Hyper-V virtual machines to UEFI mode

After we’ve converted our disk to GPT, we need to change our Hyper-V virtual machine from using BIOS to UEFI. This process is a bit more involved than with VMware, as Hyper-V does not directly support converting a Generation 1 VM (BIOS) to Generation 2 (UEFI). Instead, we’ll create a new Generation 2 VM and attach our converted disk to it. Here are the steps:

Step 1: Delete the original VM

Before you proceed, make sure you have backed up any important data. Deleting the VM does not delete the virtual hard disks, but it’s always a good practice to back up before making significant changes.

In the Hyper-V Manager, right-click on the VM and choose ‘Delete’. Remember, this only removes the VM configuration, not the virtual hard disk.

Step 2: Create a new generation 2 VM

Next, we’ll create a new VM. In the Hyper-V Manager, click on ‘New’ and then ‘Virtual Machine’. During the creation process, when you’re asked to choose the generation of the virtual machine, select ‘Generation 2’. This sets the new VM to use UEFI instead of BIOS.

Step 3: Attach the converted disk

Later in the creation process, you’ll be asked about a virtual hard disk. Choose ‘Use an existing virtual hard disk’ and browse to the location of the disk you converted earlier.

After you finish creating the VM, you can adjust any other settings (like network settings) to match the original VM. Now, you can power on the VM. It will boot using UEFI from the GPT disk.

Through this process, we’ve effectively ‘converted’ a Generation 1 VM to Generation 2. While it’s not as straightforward as a direct conversion, it’s currently the necessary process in Hyper-V.

Validating your configuration

Once you have successfully booted your VM, it’s important to validate that everything is configured as expected. For this, we will utilize a couple of commands.

Validate partition style

First, let’s confirm that your disk is using GPT. In a PowerShell prompt, type the following command:

Get-Disk | ft -Auto

This will display a table that lists all your disks. Look under the ‘Partition Style’ column. For your converted disk, it should say ‘GPT’.

Confirm secure boot is enabled

Next, let’s confirm that secure boot is enabled. Secure boot is a feature that’s only available with UEFI, and it’s an important component of our security enhancements.

In your PowerShell prompt, type:

Confirm-SecureBootUEFI

If secure boot is enabled, you will receive a ‘True’ output. If you get a ‘False’ output, secure boot is not enabled. If you see ‘Cmdlet not supported on this platform’, then your system does not support secure boot, or it’s not booted in UEFI mode.

By completing these validations, you can be confident that your VM is now using UEFI with a GPT disk and has secure boot enabled. This setup provides you with a more secure and modern platform for your operating system.

Conclusion

Congratulations on making it through this technical walkthrough! By upgrading from MBR to GPT, and enabling UEFI with secure boot, you’ve effectively improved the security posture and boot performance of your system.

We’ve journeyed through understanding the differences between MBR and GPT, and between BIOS and UEFI. We’ve used Microsoft’s Mbr2Gpt tool to convert our disk from MBR to GPT, and then reconfigured our VM to boot in UEFI mode, even taking advantage of UEFI’s secure boot feature.

While these steps may seem technical and daunting at first, the increased security and performance enhancements are well worth it. UEFI, combined with GPT and secure boot, helps protect against bootkit attacks and provides a more robust environment for your operating system to run in.

As technology continues to evolve, it’s critical to keep our systems updated and secure. This process is just one example of how a relatively small change can make a big difference in security and performance.

Thank you for joining me today, and happy computing!