Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is enabling of Secure Boot and GPT worth the hassle in clean installing Win 10?


  • Please log in to reply
26 replies to this topic

#1 midimusicman79

midimusicman79

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:09:04 PM

Posted 28 September 2018 - 09:00 AM

Hi all!

 

I have MS Win 10 Pro 64-bit running on an Intel Core i7-6700K 4.0-4.2GHz LGA1151 Boxed/Retail CPU, an ASRock Z170 EXTREME7+ LGA1151 ATX Motherboard, and a SAMSUNG 850 PRO 1TB SSD 2.5" S-ATA, all of which are almost three years old (full specifications here).

 

Currently, I have Secure Boot disabled and use the MBR partition table, but I would like to enable Secure Boot and use the GPT partition table and a discrete, older TPM module.

 

I understand that making such fundamental changes to my computer cannot be done by instantly changing settings, but it involves performing a clean install of Windows 10.

 

On October, 10, I plan to upgrade Windows 10 to the October 10, 2017—KB4041676 (OS Build 15063.674) version with the Media Creation Tool and a 32 GB USB Flash Drive.

 

And hence, my question is as follows;

 

Is enabling of Secure Boot and GPT worth the hassle in clean installing Win 10?

 

Thank you very much in advance!

 

Regards,

midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


BC AdBot (Login to Remove)

 


#2 mikey11

mikey11

  • Members
  • 1,509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Psychiatric Ward @ Beelitz-Heilstatten Hospital, Beelitz, Germany
  • Local time:09:04 PM

Posted 28 September 2018 - 09:04 AM

 


Is enabling of Secure Boot and GPT worth the hassle in clean installing Win 10?

 

 

 

up to you really,

 

doing a backup and a clean install is not really that difficult or a lot of work.......in my opinion



#3 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,023 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:03:04 PM

Posted 28 September 2018 - 09:41 AM

Personally, I'd do both.

 

If I had to pick "only one" then I'd definitely change over to GPT from MBR.  The instructions I wrote up for Doing a Completely Clean Install of Windows 10 give the couple of short and easy steps necessary for doing this.  Of course, that means you need to have all of your user data backed up as well as the collection of application installers (and, perhaps, drivers) you'll be needing as all of those will have to be put back on the "clean slate" you'll be creating.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#4 Chiragroop

Chiragroop

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 28 September 2018 - 11:45 AM

Hi

 

If your computer does support UEFI and GPT, you can convert the disk from MBR to GPT without losing data (make a backup just iin case).

 

These are the instructions: https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt For Windows PE, just ignore that and use the installation disk instead. It also has the MBR2GPT.exe. Don't run it in Windows 10 directly (you can with /allowFullOS but generally things like antiviruses can interfere, etc. It is better to do it in Windows Recovery Environment in the installer). Make sure you turn on UEFI afterwards otherwise your computer will not boot.

 

 

Currently, I have Secure Boot disabled and use the MBR partition table, but I would like to enable Secure Boot and use the GPT partition table and a discrete, older TPM module.

Even with Secure Boot off, it should be using UEFI unless it also automatically turns on CSM. CSM pretends that the UEFI is a BIOS so it can load older legacy OS that doesn't support UEFI. CSM might be labeled as "CSM" "Compatibility Support Module" "Legacy Mode" "Legacy Boot" or something like that. Turn that off and you should have UEFI boot. (In some computers, the firmware automatically turns on CSM when you turn Secure Boot off, so it depends on the motherboard and it's firmware here).

 

Another thing you can (and should do) is update the BIOS. If there are any weird bugs, it should fix it. Windows 8/8.1/10 also use UEFI functionality a lot more than Windows 7 did with BIOS, so updating BIOS can often fix weird issues.

 

Good luck and BACKUP before you do this just in case

-Chiragroop



#5 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:09:04 PM

Posted 29 September 2018 - 09:02 AM

Hi, mikey11, britechguy & Chiragroop!

 

Thank you all for the prompt and insightful replies! :)

 

I have of course already updated my UEFI to the newest version, 7.60. I have made a disk image of my computer with Acronis True Image 2019, and will start WindowsPE from my 32 GB USB Flash Drive, try the MBR2GPT.exe and report back how it goes.

 

Thank you and please bear with me until then... :busy:

 

Regards,

midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#6 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,023 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:03:04 PM

Posted 29 September 2018 - 09:19 AM

My question now is whether you intend to do a completely clean install, in which case you could do MBR2GPT just before doing so if you wish, but you would still lose your user data because that's part and parcel of doing a completely clean install.   If you're not doing a disk wipe then it's not a completely clean install, but a reset/refresh or similar.

 

If you really want to keep your user data and wish to go to GPT, I'd do the MBR2GPT followed by Doing an In-place "Upgrade" to Reinstall Windows 10 Keeping Apps/Programs and User Files.

NOTE:  You do NOT need to follow the instruction regarding turning off Secure Boot.  It is superfluous.
 
Of course, all the warnings about doing a full system image backup and a separate user data backup prior to doing whatever you end up electing to do still stand.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#7 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:09:04 PM

Posted 29 September 2018 - 11:20 AM

Hi again, mikey11, britechguy & Chiragroop!

Thank you for the prompt and insightful replies! :)

I rebooted my computer to my 32 GB USB 3.0 Windows 10 Install Flash Drive, started Command Prompt from X: (WindowsPE), ran the MBR2GPT.exe, first with the parameter /analyze, which reported successfully, and then with the parameter /convert, which also completed successfully.

Then, I rebooted my computer, pressed Delete, went into UEFI, enabled Secure Boot, disabled Compatibility Support Module, saved settings, exited UEFI, rebooted my computer to Windows 10, and checked the C: drive's properties, which successfully reported GUID Partition Table (GPT).

And, as such, I no longer plan to do a complete clean install or reset/refresh or similar, but rather do an in-place upgrade install to upgrade Windows 10 keeping apps/programs and user files.

However; Should I do that now, or should I wait until the 1809 upgrade is available?

Thank you again! :)

Regards,
midimusicman79

Edited by midimusicman79, 29 September 2018 - 11:22 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#8 Chiragroop

Chiragroop

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 29 September 2018 - 11:29 AM

Hi
 

And, as such, I no longer plan to do a complete clean install or reset/refresh or similar, but rather do an in-place upgrade install to upgrade Windows 10 keeping apps/programs and user files.
 
However; Should I do that now, or should I wait until the 1809 upgrade is available?

You don't need to do a repair install, but it usually is a good idea after such drastic configuration changes (which I think is what Brain suggested it).
 
However, updating to the latest build (feature updates) essentially perform a repair install (although this also updates the OS to a newer build), so installing the update is equivalent to repair installing.


Edited by Chiragroop, 29 September 2018 - 11:29 AM.


#9 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,023 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:03:04 PM

Posted 29 September 2018 - 12:10 PM

Given my past experience with the early weeks and months (sometimes) of freshly released feature updates, were I you if I were doing an in-place update to reinstall Win10 while keeping my files and apps I would do it using the ISO for whatever version of Windows 10 is currently installed.  I am presuming you are already on Version 1803, and it sounds like you have the 1803 bootable media, so if you wish to do it use that.

 

You will update to Version 1809 when your machine has been added to an update cohort, which could be in the very first days of the new feature update or could be months after that.  Feature update roll out periods are long, and I always suggest that people do not rush them, but let them appear "naturally" as part of the standard Windows Update process.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#10 Chiragroop

Chiragroop

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 29 September 2018 - 12:45 PM

Good suggestion. In that case, @midimusicman79 just proceed with a repair install now.

 

You will update to Version 1809 when your machine has been added to an update cohort, which could be in the very first days of the new feature update or could be months after that.  Feature update roll out periods are long, and I always suggest that people do not rush them, but let them appear "naturally" as part of the standard Windows Update process.

Agreed. The delay in update also gives enough time to fix some of the more serious bugs that would be noticed and fixed by then.

 

-Chiragroop



#11 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:09:04 PM

Posted 30 September 2018 - 09:10 AM

Hi again, britechguy & Chiragroop!
 
Thank you both for the prompt and insightful replies! :)
 
Sorry I did not initially mention this, but yes, I am on Version 1803 (OS-build 17134.320). However, obviously, I will have to re-create the 32 GB USB 3.0 Windows 10 Install Flash Drive with the GPT partition scheme for UEFI, because otherwise, it will not work.
 
The recommendation of MBR2GPT.exe has probably saved me several weeks of time-consuming work of having to clean install Windows 10 and reinstalling applications/programs when the latter was unnecessary.
 
I was able to change the said settings in the successive order even though my computer is three years old, but obviously, the motherboard has these features, so, fortunately, I did not have to buy a new motherboard either.
 
Sorry for making a mistake in Post #1, as it should read October 2018, not 2017, and the KB number, as well as the build number, are referring to an old Windows upgrade version.
 
Regards,
midimusicman79

Edited by midimusicman79, 01 October 2018 - 02:30 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#12 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,023 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:03:04 PM

Posted 30 September 2018 - 09:46 AM

If you're not actually using the bootable media to repartition the drive I don't think "MBR vs GPT" really matters for the in-place "upgrade."  I can't swear to this, though.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#13 Chiragroop

Chiragroop

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 30 September 2018 - 11:09 AM

 

Sorry I did not initially mention this, but yes, I am on Version 1803 (OS-build 17134.320). However, obviously, I will have to re-create the 32 GB USB 3.0 Windows 10 Install Flash Drive with the GPT partition scheme for UEFI, because otherwise, it will not work.

Depending on how you created the bootable USB (especially if you use the MediaCreationTool), it can create a USB that boots on *both* BIOS and UEFI based computers. It installs depending on how it booted, but as your disk is already GPT now, it will only install in UEFI mode. Installing in BIOS mode will cause a failure. However, before you continue, what tool did you use to create the bootable USB? If you used Rufus, by default, it only creates a BIOS or UEFI (depending on which setting you used). This was, because according to Rufus's developers, many people mistakenly installed in the wrong mode and realized later. So, to prevent this, Rufus only makes a bootable USB in one of the two modes (unless you press the Alt+E shortcut, which overrides this). You can verify if the USB can boot into UEFI mode by looking for efi folder (in the root, so say G:\efi). If you see a bootmgr file in the root of the drive (say G:\bootmgr), then it can boot into BIOS mode. If you see both, it can boot into either. In this case, your computer should boot into UEFI (as CSM is turned off), but you can make sure by deleting the bootmgr file. You can also just boot into the installer, and go to Command Prompt > regedit and browse to HKLM\System\CurrentControlSet\Control and look for the value of PEFirmwareType . If you see 0x1 then you booted into BIOS mode and if you see 0x2, you have booted into UEFI mode.

 

Note that if your USB only has bootmgr file, you will have to recreate the USB. Although I prefer MediaCreationTool, if you used Rufus, you can either select UEFI boot (recommended as then there is no chance it can boot into BIOS mode) or set it as dualboot by using Alt+E.



#14 Chiragroop

Chiragroop

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 30 September 2018 - 02:03 PM

Scratch that. If you use the MediaCreationTool, you can tell it to "upgrade" which will essentially just do a repair install. (All without a USB). That said, I would still create a USB just in case, but if you don't want to, you can just use MediaCreationTool to perform the repair install.



#15 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:09:04 PM

Posted 01 October 2018 - 09:21 AM

Hi again, britechguy & Chiragroop!
 
Thank you both for the prompt and insightful replies! :)
 
After having used only the Media Creation Tool to create several bootable Windows 10 DVD Install discs for all the Versions including 1709, I changed to use Rufus to create the bootable USB for Version 1803 and selected the MBR partition scheme and the BIOS (or UEFI-CSM) target system.
 
As such, it contains the folders [boot, efi, sources, support] and the files [autorun.inf, bootmgr, bootmgr.efi, setup.exe], which means that it is able to boot both into the MBR and the GPT partition schemes, but I created it with a previous version of Rufus a few months back.
 
So, today, I downloaded the newest portable version of Rufus (3.3.1400), and when I loaded the Windows.iso file into Rufus, it automatically changed settings to the GPT partition scheme and the UEFI (non-CSM) target system, and consequently, I have now recreated the bootable USB.
 
I will now do an in-place upgrade install to upgrade Windows 10 keeping apps/programs and user files, which I also last did a few months back due to another serious issue even regarding a BSOD and my Emsisoft Anti-Malware, which I luckily resolved in the same way.
 
And now, the bootable USB actually still contains the same folders [boot, efi, sources, support] and the same files [autorun.inf, bootmgr, bootmgr.efi, setup.exe], however, now they are all new and updated.
 
Thank you and please bear with me until then (tomorrow, since I BTW am celebrating my birthday today)... :busy:
 
Regards,
midimusicman79

Edited by midimusicman79, 01 October 2018 - 09:58 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users