Tip: Switch Windows Server from BIOS to UEFI Boot and Secure Boot

Today I had the requirement to convert a Windows server from Legacy BIOS to UEFI with Secure Boot. It was a virtual machine on an ESXi 8 server. However, the method described should also work with other hypervisors and also with physically installed Windows servers.

If the boot mode is changed from Legacy BIOS to UEFI with Secure Boot in the BIOS of the server or in the settings of the VM, Windows servers normally no longer start. This can be remedied with a rescue system, but this causes a somewhat longer downtime for productive servers. This method does not completely eliminate downtime, but at least it does not take much longer than a reboot.

In order for Windows to start after changing the boot mode from BIOS to UEFI, the disk from which Windows starts must be converted to a GPT data carrier. From Windows version 1703, i.e. Windows Server 2016 and Windows 10, the MBR2GPT tool is available for this purpose. The tool can first be used to convert the MBR disk to a GPT disk.

However, the conversion from MBR to GPT cannot be undone, so it is essential to ensure that a current backup is available.

The procedure is as follows:

Convert MBR disk to GPT disk

The following command can be used to convert an MBR disk to a GPT disk. The command has been available since Windows 10 / Windows Server 2016. The following command can be executed in a PowerShell in administrator mode:

.\MBR2GPT.EXE /convert /allowfullos
Tip: Switch Windows Server from BIOS to UEFI Boot and Secure Boot

Change boot mode to UEFI and activate SecureBoot

After converting the data carrier, the boot mode can be changed from Legacy BIOS to UEFI and Secure Boot can be activated. For physical servers, the server must be restarted and the corresponding settings made in the server setup. Exactly how and where this works depends on the hardware manufacturer.

In my case, this is a VM on ESXi8. To change the boot mode, the VM must be switched off. In the VM settings, the boot mode can then be set to UEFI and Secure Boot can be activated:

Tip: Switch Windows Server from BIOS to UEFI Boot and Secure Boot

Starting and checking the server

The VM can now be switched on again or the server can be started. After starting Windows, the following command can be used to check whether Secure Boot is active:

Confirm-SecureBootUEFI

If this command returns the value "True", Secure Boot is active.

Tip: Switch Windows Server from BIOS to UEFI Boot and Secure Boot

The command must also be executed in an administrative PowerShell.

1 thought on “Tipp: Windows Server von BIOS zu UEFI Boot und Secure Boot umstellen”

Leave a Comment