This is the clean, repeatable path we use at CEC to satisfy Secure Boot requirements without breaking Windows.
Read First — CRITICAL ALERT
- This process CAN ruin your Windows installation. Proceed only if you accept the risk.
- Backups are REQUIRED. Make a full file backup and create a bootable Windows recovery USB.
- Admin account only. Close apps before you begin.
- UEFI-capable hardware required. After conversion, firmware must boot in UEFI (Legacy/CSM will not work).
TL;DR — Exact Steps
0) Prep — REQUIRED
- Create a Windows recovery USB (Media Creation Tool or “Create a recovery drive”). Keep it plugged in until you finish.
1) Open an Admin CMD
Start → type cmd → right-click Command Prompt → Run as administrator.
Or Win+X → Windows Terminal (Admin).
2) Save & Suspend BitLocker Admin CMD
manage-bde -protectors -get C:manage-bde -protectors -disable C:3) Check Your Current Mode
Press Win+R, type msinfo32, press Enter. Note BIOS Mode (UEFI or Legacy) and Secure Boot State (On/Off).
If BIOS Mode = UEFI: go to Step 6 to enable Secure Boot.
If BIOS Mode = Legacy: do Steps 4–5 to convert the system disk.
4) Validate the Disk for Conversion (Legacy → UEFI) Admin CMD
mbr2gpt /validate /allowFullOSReturn code 0 means you’re good. If it fails, reduce to ≤3 primary partitions and remove extended/logical layouts, then re-validate.
5) Convert the Disk to GPT Admin CMD
NOTE: THIS STEP CAN CORRUPT YOUR WINDOWS INSTALLATION COMPLETELY AND NON-RECOVERABLY. Ensure backups and a recovery USB before proceeding.
mbr2gpt /convert /allowFullOSSuccessful conversion creates an EFI System Partition. You will switch the firmware to UEFI next.
6) Open UEFI Firmware Settings from Windows
Windows 11: Settings → System → Recovery → Advanced startup → Restart now → Troubleshoot → Advanced options → UEFI Firmware Settings → Restart.
7) Set Firmware Correctly (in BIOS/UEFI)
- Disable CSM/Legacy
- Boot mode = UEFI
- Secure Boot menu → Restore/Enroll factory keys (if available)
- Enable Secure Boot
- Boot order: Windows Boot Manager first
- Save & exit
Where to look: Boot (CSM/Boot Mode), Security (Secure Boot), and sometimes Key Management. Vendor hints—ASUS: Boot → CSM, Boot → Secure Boot; MSI: Settings → Advanced → Windows OS Config; Gigabyte: BIOS → CSM Support, Settings → Secure Boot; ASRock: Security → Secure Boot, Boot → CSM.
8) Verify in Windows
Open msinfo32 again. You want BIOS Mode: UEFI and Secure Boot State: On.
9) Re-enable BitLocker (if used)
manage-bde -protectors -enable C:Quick Recovery (If It Won’t Boot)
- Boot from Windows USB → Repair your computer → Troubleshoot → Command Prompt.
- Find your EFI partition letter with:
diskpartlist volexit- Rebuild the boot files:
bcdboot C:\Windows /s S: /f UEFIReplace S: with your EFI partition letter.
In firmware, ensure Windows Boot Manager is first in the boot order.
Post-Conversion Health Check (Recommended) Admin CMD
Run these in an elevated console in this exact order:
DISM /Online /Cleanup-Image /RestoreHealthsfc /scannowGuide: What DISM & SFC do and how to read results
-
DISM repairs the component store (WinSxS). Expect “The restore operation completed successfully.” If you see source errors (e.g., 0x800f081f), mount a matching Windows ISO and rerun with
/Source:X:\sources\install.wim /LimitAccess. - SFC repairs protected system files. “Windows Resource Protection did not find any integrity violations” = clean. If it reports repairs, reboot and run once more.
- If either tool fails repeatedly, consider an in-place repair install or restore from backup.
Next: restore Windows Update controls & stability → see our follow-up guide.
Disclaimers
- This guide assumes a healthy Windows install and UEFI-capable motherboard.
- Firmware menus vary. Names like “CSM,” “Legacy,” “Key Management,” and “Enroll Factory Keys” may differ by vendor.
- Changing storage mode (RAID/IDE⇄AHCI) without driver prep can cause
INACCESSIBLE_BOOT_DEVICE. Avoid changing it during this process. - Test on a non-production machine before rolling out to fleets.