Doing some remote maintenance of several systems that are still running Windows 10, I realized, I had a bit of a problem doing updates to Windows 11. Many of these machines were not set up using UEFI and Secure Boot. The issue is, you can do the updates but the system will not boot if it was previously set up using Legacy boot or without Secure boot. I realize that this article will have very little value to most people but I wanted to document what I’ve learned.
The Problem
I have not made it an urgent priority to upgrade all the End of Life Windows 10 machines to Windows 11. Security patches are no longer being pushed and that is a problem. I am not a fan of Windows, but the reality of my job forces me in a position where I must use it. I do think, in many ways, Windows 11 is better than Windows 10 but you will find a lot of people out there that will strongly disagree. Regardless, Windows 10 is done and in order to minimize risks, I need to get all the machines on a supported operating system.
The Solution
In this process, I stumbled upon more than one machine that was set to using Legacy Boot or not having Secure Boot enabled. I am not confident that Secure Boot really does anything substantial, but it is a Windows 11 requirement. The end of Legacy boot is totally fine with me. UEFI is most certainly a better boot mechanism. Since I have a remote management system available to me, I can open up a Windows Command Prompt remotely and before pushing the Windows 11 update, I am able to check to see that I am safe to push Windows 11.
I run this simple command in an elevated the Command Prompt (or in something like NinjaRMM) and hit enter. The output of this is exactly what I need:
powershell -NoProfile -Command "Write-Host 'Boot Mode:' $env:firmware_type -ForegroundColor Green; try { Write-Host 'Secure Boot Enabled:' (Confirm-SecureBootUEFI) -ForegroundColor Green } catch { Write-Host 'Secure Boot: Not supported or disabled (likely Legacy BIOS or Secure Boot off)' -ForegroundColor Yellow }"
The result for a system that is ready will show:
Boot Mode: UEFI
Secure Boot Enabled: True
Secure Boot Enabled: False, means that I will not be able to remotely push the Windows 11 update. I will have to put my hands on this machine and enable secure boot in the bios. I know for certainty that Boot Mode: Legacy will cause the Windows 11 installation to fail to boot.
Some Fun Extra Knowledge Nuggets
Some other fun commands I learned to help navigate this process of a successful update to Windows 11 to check for free space. Since I am much more comfortable with the neat terminal Linux ways, I had to find the equivalents for Windows.
Disk Free Space
In Linux this is super easy, just df -h for a human readable output of free disk space. I couldn’t get a way to have the human readable in Windows but I could at least get the free disk space by running this:
wmic logicaldisk get caption,size,freespaceIt does output the information nicely, just not in a quick glance readable way:
Caption FreeSpace Size
C: 93427142656 254532689920
I appreciate having this information because you need to have at least 18 GB of free space to do the Windows 11 upgrade.
Windows Built In Cleanup
Sometimes, Windows can clean up the filesystem and get rid of cruft on its own. My success has been very limited with this, but it just may work for you.
cleanmgr /sageset:1This didn’t really clean up much space but it did get me closer to my needed 18 GB of free space.
Removing Directories with Subfolders
In order to get to that magical 18 GB of free space, I had to wipe out some user folders.
rmdir /s "C:\path\to\folder"rmdir is the command to remove a directory, but adding the /s switch removes the folder, all subfolders, and all files recursively. Super handy, this is basically rm -rf in Linux
I used this to clean out old user files on the machines located in c:\Users\. But for some machines this wasn’t enough and I learned that Windows does a terrible job of cleaning up Installer files, not just a poor job but absolutely terrible, hoarding many, many Gigs of data taking up space. This is located at c:\Windows\Installer
This was a bit trickier to remove this cruft. I could not do it remotely through the RMM tool, I had to be at the machine with an Administrator Command Prompt open, but in short, these were the steps I used to get rid of some 30 to 40 GB of digital waste:
First, stop the Windows Installer Service
net stop msiserverNext, take ownership of the directory and its contents because, for some strange reason, even as a local administrator, the OS will not let you remove the digital cruft out of the Installer folder.
takeown /F "C:\Windows\Installer" /R /D YThis is much like chown in Linux, this takes ownership of the folder and all contents (changes owner to your admin account)
Next run the Integrity Control Access Control Lists command, the modern built-in Windows command-line tool for viewing and modifying NTFS permissions (Access Control Lists / ACLs) on files and folders.
icacls "C:\Windows\Installer" /grant Administrators:F /T /C /QThis gives the Administrators group Full Control permissions of the files.
For reference, here are the definitions of the switch information
/R = recursive (all subfolders/files)
/D Y = answer Yes to all prompts
/T = apply to all files/subfolders
/C = continue on errors, which means continue processing even if it hits some files with errors (e.g., locked files). Error messages will still show, but it won’t stop completely.
/Q = Quiet – Suppress success messages. Only show errors to make the output cleaner
Then I could proceed with deleting all the files in that Installer folder.
By cleaning out the large numbers of installer files, I was then able to successfully install Windows 11 on the various machines that were able, remotely, from my home office. Really quite fantastic.
Linux Bootmode
I realize most of this was Windows centric, not very Linuxy, so I wanted to also provide a little bash script for determining if you are running UEFI or Legacy and if secure boot is enabled. This also has the bonus if installing the mokutil for at least for families of Linux distributions.
Using nano create this calling it bootmode:
nano bootmode
Then copy and paste this:
echo "=== Boot Mode ==="
[ -d /sys/firmware/efi ] && echo "Firmware Type: UEFI" || echo "Firmware Type: Legacy BIOS"
echo -e "\n=== Secure Boot Status ==="
if command -v mokutil >/dev/null 2>&1; then
sudo mokutil --sb-state
else
echo "mokutil is not installed."
echo "Install it with one of the following commands:"
if command -v apt >/dev/null 2>&1; then
echo " sudo apt install mokutil # Ubuntu / Debian"
elif command -v dnf >/dev/null 2>&1; then
echo " sudo dnf install mokutil # Fedora / RHEL"
elif command -v zypper >/dev/null 2>&1; then
echo " sudo zypper install mokutil # openSUSE Leap / Tumbleweed"
elif command -v pacman >/dev/null 2>&1; then
echo " sudo pacman -S mokutil # Arch / Manjaro"
else
echo " Your distro is not detected. Search for 'mokutil' in your package manager."
fi
fi
Save that in your ~/bin folder and run chmod +x bootmode
When you run it, you will get an output, something like this:
=== Boot Mode ===
Firmware Type: UEFI
=== Secure Boot Status ===
SecureBoot disabled
Incredibly exciting, eh?
Final Thoughts
The Windows command line is decent. I don’t think it’s great but it certainly does the necessary job. It was fun to learn how to do these Linux-y like things but with Windows and get around the various hurdles in accomplishing this upgrade task. Not sure how useful this will be in the long term but this was useful for the week I needed it. Rather than just let this die in my personal Obsidian notebook, I thought I would share the knowledge so you can ignore it too!
References
https://www.wisecleaner.com/think-tank/632-6-Ways-to-Fix-the-Access-Denied-Error-on-Windows-11.html
Terminal Applications
Leave a Reply