Share via

How to covert Windows Server 2022 Standard Boot mode from Legacy to UEFI

Malvern Masiye 20 Reputation points
2026-03-26T16:30:51.2533333+00:00

As you may know, Microsoft is updating the Secure Boot certificates that were originally issued in 2011 to ensure that Windows devices can continue to verify trusted boot software. Because our servers are still operating in Legacy BIOS mode, we must transition them to UEFI boot mode in order to maintain full Secure Boot compatibility. Therefore, we require the correct method for converting a Proxmox Virtual Environment (PVE) virtual machine running Windows Server Standard 2022 from Legacy (SeaBIOS) to UEFI (OVMF). Have you ever completed a similar conversion

Windows for business | Windows Server | User experience | Other
0 comments
Answer accepted by question author
  1. Domic Vo 18,955 Reputation points Independent Advisor
    2026-03-26T18:16:44.1633333+00:00

    Hello,

    Moving a Windows Server 2022 VM in Proxmox from Legacy BIOS (SeaBIOS) to UEFI (OVMF) is not a simple toggle, because the boot firmware type is fundamental to how the OS was installed. If the VM was originally installed under SeaBIOS, the disk layout will be MBR-based, and Windows will not boot if you simply switch the VM to OVMF. To make the transition correctly, you need to convert the disk partitioning to GPT and ensure the EFI System Partition exists before changing the VM firmware.

    The supported method is to use Microsoft’s mbr2gpt.exe tool inside the Windows Server 2022 guest. Run it from an elevated command prompt with mbr2gpt /convert /allowFullOS. This will convert the system disk from MBR to GPT and create the EFI System Partition. Once that completes successfully, shut down the VM. In Proxmox, edit the VM configuration (/etc/pve/qemu-server/<VMID>.conf) and change bios: seabios to bios: ovmf. You must also add an EFI disk, for example efidisk0: local-lvm:vm-<VMID>-disk-efi,size=1M. If Secure Boot is required, set machine: q35 and efitype:4m with efidisk0 enabled.

    After that, start the VM. Windows should now boot in UEFI mode. You can confirm by running msinfo32 inside the guest and checking that “BIOS Mode” shows “UEFI.” At this point, Secure Boot can be enabled from the VM’s OVMF settings if required.

    The critical point is that you cannot just flip SeaBIOS to OVMF without preparing the disk. If you do, Windows will fail to boot with error code 0xc000000e. The conversion with mbr2gpt ensures the OS can boot under UEFI.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

    Domic Vo.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-26T16:31:16.4+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Windows Server 2022 already supports both Legacy BIOS and UEFI boot. Switching an existing installation from Legacy (SeaBIOS) to UEFI (OVMF) is not done by “just” changing the VM firmware; the disk layout and boot configuration must match UEFI requirements.

    From the provided information, only the following supported and documented aspects apply:

    1. Windows should be installed and booted in UEFI mode to use Secure Boot
      • Windows includes security features that require UEFI-enabled devices and Secure Boot.
      • In general, Windows should be installed using UEFI mode rather than legacy BIOS mode, because UEFI provides more security features than legacy BIOS.
      • After Windows is installed, the device (or VM) boots automatically using the same mode it was installed with.
    2. Switching firmware mode after installation
      • After Windows is installed in one firmware mode, switching to the other mode is not a simple toggle. The system expects the same mode it was installed with.
      • If firmware mode must be changed after installation, the supported approach is to use the MBR2GPT tool (when applicable) to convert the system disk from MBR to GPT and then configure the firmware to boot in UEFI mode.
      • The documentation notes that switching between Legacy BIOS and UEFI is not required for upgrade scenarios, and that changing firmware and file systems can introduce complications. The recommended scenario is to upgrade the system “as is.”
    3. UEFI and Secure Boot requirements
      • Secure Boot requires:
        • UEFI 2.3.1-compliant firmware.
        • UEFI variables set to SecureBoot=1 and SetupMode=0.
        • A properly provisioned UEFI signature database (db, KEK, DBX) with the correct keys so that Windows Boot Manager can be verified.
      • The platform must verify signatures of all images in the boot sequence up to and including the Windows Boot Manager.
      • To use Secure Boot, the VM firmware must be UEFI (OVMF in Proxmox) and must expose the required UEFI interfaces and signature databases.
    4. Practical implications for a Proxmox VM Based on the above Windows guidance:
      • A Windows Server 2022 installation that was originally deployed in Legacy BIOS (SeaBIOS) mode will boot in that mode and expects BIOS-style boot.
      • To move to UEFI + Secure Boot, the supported pattern is:
        • Ensure the virtual disk is converted to GPT (using MBR2GPT where supported) and that Windows is configured to boot in UEFI mode.
        • Then configure the VM firmware to UEFI and ensure the UEFI environment provides the required Secure Boot keys and databases.
      • Because changing firmware and disk layout can introduce complications, the recommended and lowest-risk approach from Microsoft’s perspective is typically to deploy or reinstall Windows directly in UEFI mode rather than converting an existing BIOS-mode installation, especially in complex or virtualized environments.
    5. Secure Boot certificate updates
      • Secure Boot relies on certificates stored in KEK and DB to validate the Windows boot loader and other EFI components.
      • Microsoft is updating the original 2011 Secure Boot certificates (KEK and CAs) with 2023 versions to ensure continuity of Secure Boot protection.
      • Devices (including VMs with Secure Boot) must have updated KEK and DB entries so that Windows boot loaders signed by the new CAs continue to validate.
      • For systems where Secure Boot keys are missing or outdated, one documented resolution is to (re)install or reset default Secure Boot keys in firmware so that the correct Microsoft keys are present.

    In summary, Windows Server 2022 supports UEFI and Secure Boot, but a system installed in Legacy BIOS mode will continue to boot that way. To move a Proxmox VM from Legacy (SeaBIOS) to UEFI (OVMF) in a supported manner, Windows must be configured for UEFI boot (typically via GPT and MBR2GPT where applicable), and the UEFI firmware must provide Secure Boot with valid Microsoft keys. Microsoft documentation emphasizes installing and running Windows in UEFI mode for Secure Boot and warns that changing firmware mode and disk layout after installation can be complex; upgrading “as is” is the recommended path when possible.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.