Enabling UEFI and SecureBoot after an Upgrade from Windows 7 OEM to Windows 10 OEM


Introduction

A UEFI Boot allows for the Globally Unique Identifier Table Partition Scheme (GPT) to be used opposed to the Legacy Master Boot Record (MBR). This partition scheme allows 128 partitions opposed to 4, support for >2 TB drives and is more robust as there are multiple boot records opposed to a single boot record.

Secure Boot as the name suggests only allows verified code to Boot. This code must have a Microsoft verified signature. This prevent preboot malware from booting before Windows 10 and its inbuilt Windows Defender security hence totally crippling the Operating System. This was pretty prevalent in the Windows XP/Vista/7 era.

SecureBoot

In Late 2011 there were advances in new hardware to accommodate a UEFI Boot. The OS at the time Windows 7 64 Bit was capable to Boot using UEFI however most Windows 7 installation media was not set up to do so. As a consequence most Windows 7 installs on systems with a UEFI BIOS are installed using a Legacy Boot.

In Mid 2012 there were advances in hardware and software (Windows 8) to accommodate a UEFI Boot with Secure Boot. The user interface of Windows 8 was dreadful so there was a massive end user backlash. Users didn’t want Windows 8 so OEMs continued to sell new hardware with Windows 7 OEM installed. Because Windows 7 wasn’t updated to support Secure Boot this security feature had to be Disabled for all Windows 7 installs. This was often done along an install using a Legacy Boot opposed to a UEFI Boot as mentioned earlier.

Windows 10 supports a UEFI Boot with Secure Boot and for optimal security and performance both these should be Enabled. The trouble is however a Windows 7 OEM to Windows 10 OEM upgrade install conserves the Boot Mode meaning one still uses a Legacy Boot without Secure Boot. The only way this could be rectified previously was via A Clean Install of Windows 10.

With the Windows 10 RS2, build 15063, Version 1703, Creator’s Update, Microsoft have included a tool to convert the Legacy MBR Partition Scheme to the GPT Partition Scheme. You can use this tool and once you have converted your SSD/HDD to GPT you can change the UEFI BIOS settings to Enable a UEFI Boot with Secure Boot increasing the performance, reliability and security of your system.

Checking how your UEFI BIOS is configured

Power off your Dell. Wait 30 s and then power on your Dell and press [F12] to access the Boot Menu:

This will take you to the Boot Menu, to the top it should state the Boot Mode and Secure Boot status.

1. If your Boot Mode is set to UEFI and Secure Boot is On then you don’t need to follow this guide:

2. If your Boot Mode is set to Legacy then follow through with this guide. Secure Boot will always be Off for a Legacy Boot:

3. If your Boot Mode is set to UEFI but Secure Boot is off the rest of the guide is not applicable. All you need to do is configure your UEFI BIOS settings to Disable Legacy Roms and Enable Secure Boot. See my Unified Extensive Firmware Interface (UEFI) guide for full instructions.

4. If you have a mention of a Legacy Boot and UEFI Boot but no mention of Secure Boot then you have an early UEFI BIOS. You should update your UEFI BIOS to the latest version and then recheck this menu. If there is now a mention of Secure Boot i.e. it looks like 2. you may proceed with the rest of this guide. If on the other hand you have the latest UEFI BIOS version and the screen still has no mention of Secure Boot you may proceed with this guide to get a UEFI Boot but you won’t be able to Enable Secure Boot as your Early UEFI BIOS doesn’t support it:

5. If there is no mention of UEFI or Legacy on this menu you likely have a computer older than the advent of UEFI with a Legacy only BIOS. This guide is not applicable for your system:

Looking at MSINFO32 in Windows

To exit the UEFI Boot menu press [Esc]. Windows should boot as normal. Once you are logged in press [Windows] and [ r ]. Type in msinfo32 and press [Enter]:

The system information should show. In green is the OS version. You must have Build 15063 or later. If you do not use the Windows 10 Media Tool to Perform an Upgrade Install.

In purple is details about your model such as System Manufacturer, System Model, BIOS version and SMBIOS version. In general you need a SMBIOS version of 2.7 or later for a system to have a UEFI Boot with Secure Boot. A SMBIOS version of 2.6 may have a UEFI Boot but no option for Secure Boot which you should have confirmed above with the Boot Menu. A SMBIOS version of 2.5 or lower is Legacy only and you should have seen this with the Boot Menu, again this guide is not applicable for your system.

In red are the 2 settings we want to look into at present the BIOS Mode should be Legacy and the Secure Boot State should be unsupported as Secure Boot is unsupported for a Legacy Boot:

Looking at Disk Management within Windows and Running the MBR2GPT Conversion Tool

The conversion has been seamless in all my tests however you may want to backup your Windows OS Boot Drive using Macrium Reflect to an external HDD/SSD just in case. For more Details see my guide Backing Up your Windows Installation using Macrium Reflect.

To best emulate a real-life scenario I performed a Clean Install of Windows 7 using a Legacy Boot and then installed Dell Backup and Recovery to made a Recovery Partition. I then proceeded with a Windows 10 Upgrade. This should yield a similar situation as a Windows 10 Upgrade install from Windows 7 factory settings.

To minimise interference close down all other applications before proceeding with the instructions below.

The first step is to remove OEM Recovery Programs such as Dell Backup and Recovery (formerly called Dell DataSafe Local Backup) as they are now obsolete.

Right click “Apps and Features”:

Scroll down:

Select Programs and Features:

Select Dell Backup and Recovery (or any Dell DataSafe products) and select Uninstall:

Wait for the uninstall to begin:

Select yes to confirm:

Wait for the uninstall:

Restart your computer when prompted:

Next its worth looking at Disk Management. Right click the start button and select Disk Management:

Right click your OS Boot Drive typically Disk 0:

Select Properties:

Select volumes:

If the partition style is GUID Partition Table then there is no need to continue with this guide.

If it is Master Boot Record (MBR) we will need to use the GPT2MBR tool and possibility use of Diskpart to remove the Recovery Partition (which is now obsolete) as MBR has a maximum of 4 Partitions and the GPT2MBR creates an additional partition before the disk is switched to GPT.

 

Right click the start button and select Windows PowerShell (Admin):

Accept the user account control prompt:

Type in:

mbr2gpt /validate /allowFULLOS

Then press [Enter]

The tool should check if your disk is able to be converted if it can it will state validation completed successfully:

If the validation is successful.

Type in:

mbr2gpt /convert /allowFULLOS

Then press [Enter]

The tool will finish converting your disk and Windows Powershell may be closed:

If the validation is not successful because 4 partitions are already present you will instead get this:

To rectify this we’ll need to delete the Recovery Partition. Type in:

Diskpart

Then press [Enter]

Type in:

List Disk

Then press [Enter]

Assuming you only have a Disk 0 and its the only Disk listed type in:

Select Disk 0

Then press [Enter]

To look at the partition on the Disk type in:

List Partition

Then press [Enter]

Look at the partitions you want to keey the largest partition which will be the C: Drive. You want to also keep the 94-100 MB partition and the 450 MB partition. The partition you want to delete is the old Recovery Partition usually 5-20 GB in size. In my case this is partition 4 but amend to suit your specific case.

To select the Recovery Partition:

Select Partition 4

Then press [Enter]

To delete the partition type in:

Delete Partition override

Then press [Enter]

You can now exit Diskpart. Type in:

exit

Then press [Enter]

Type in:

mbr2gpt /validate /allowFULLOS

Then press [Enter].

This time as there are only 3 partitions and it has the ability to create the 4th on MBR it should pass the validation.

Type in:

mbr2gpt /convert /allowFULLOS

Then press [Enter].

This time it should complete the conversion.

You can now check by right clicking Disk 0:

Selecting Properties:

Selecting volumes:

You should see that its now using the GUID Partition Table (GPT):

 

After Conversion

If you right click the start button and select restart.

Instead of Windows loading you’ll be greeted with the following error. This is because the SSD/HDD is now setup for UEFI but you are still Booting via Legacy.

Power off your system and wait 30 seconds then follow my guide Unified Extensive Firmware Interface (UEFI) to Enable a UEFI Boot with Secure Boot. Once you have Enabled these settings your Boot Menu should look like the following. Press [Esc] and Windows should boot normally (this time and every time after using a UEFI Boot with Secure Boot):

You can press [Windows] and [ r ] and type in msinfo32 again and press [Enter]:

Now the Boot Mode should be UEFI and the Secure Boot State should be On:

If you right click start and select Disk Management:

You should notice that Disk 0 now has an EFI partition. Again right click Disk 0: Select Properties:

Select Volumes:

The Partition Style should be GUID Partition Table (changed from MBR):

You can now enjoy the benefits of a UEFI Boot, the GPT scheme and protection from Secure Boot.

Advertisements