When it comes to installing Windows 10, one can use the Media Creation Tool from Microsoft to create an USB install medium. This stick natively supports Secure Boot in combination with UEFI.
If one wants to slipstream the install in order to prepatch windows updates, change settings and/or add software, one will use NT Lite to create a new ISO and use something like RUFUS to burn that ISO onto the USB stick.
I've done this in the past, but with the recent Windows 10 20H2, when I use Rufus, it tells me that Secure Boot won't work and that it has to be disabled before booting, and can be enabled after the install is done.
Given that it worked in the past, is there a way to get secure boot working so I can always install my modified Windows 10 installer with Secure Boot and UEFI enabled?
3 Answers
While OP has already found a solution, I use this answer space to add some more options.
Option 1 : Split the WIM file.
The WIM file is the format where slipstreaming is possible, .ESD conversion to .WIM and then adding your own drivers/packages etc in it is likely to take Windows 10 install.WIM bigger than 4GB.
Using DISM command (readily available in Windows 10) split the .WIM file into .SWM each sized say 3 GB. Delete the original WIM from the extracted source and using OSCDIMG.exe command (part of Windows 10 ADK) rebuild the ISO using the source that now includes the sequenced SWM files and other Windows 10 source files. Rufus will now allow you to use FAT32 partition as no file inside the ISO is now bigger than 4 GB. Windows 10 installer will automatically detect sequenced SWMs and smoothly run and install while Secure Boot is Enabled, as it uses the original Windows 10 Bootloader. Unlike WIM to ESD conversion, spitting WIM is pretty quick.
Dism /Split-Image /ImageFile:C:\install.wim /SWMFile:C:\install.swm /FileSize:3000
oscdimg -LTest -m -u2 -bootdata:2#p0,e,bC:\src\boot\etfsboot.com#pEF,e,bC:\src\efi\microsoft\boot\efisys.bin C:\src C:\Slipstremed.isoAbove oscdimg command creates Legacy + UEFI bootable ISO. Windows 10 Source files are at C:\src and C:\Slipstremed.iso is the new ISO file created.
Option 2 – Sign the Rufus Bootloader & NTFS driver.
When Rufus creates a UEFI bootable NTFS formatted Windows 10 pen drive installer, it creates a small 512KB FAT partition at the end of pen drive and loads it with its own bootloader & NTFS driver, which is not signed (By Microsoft), hence Rufus informs you to disable the Secure Boot for installation.
You can use that pen drive for Windows 10 install with Secure Boot ON, on a UEFI computer provided the UEFI Firmware Setup on target computer allows User Level Secure Boot db Key management. Many UEFI implementations simply do not allow or do not feel it necessary to offer so. However, this is how it will work in principle. Assuming target PC is using x64 architecture.
On a working Windows 10 computer, Run Powershell with Admin privileges Create a self-signed certificate for Code Signing
New-SelfSignedCertificate -Type CodeSigningCert -Subject "CN=Test, O=TestCorp, C=US" -KeyUsage DigitalSignature -FriendlyName "MyCert" -CertStoreLocation "Cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(5)Access the same in the Certificate store and export it with its Private Key to a password protected PFX file. Export its Public Key to DER Encoded X509 .CER file as well as Base64 Encoded X509 .CER file.
Access the Secure Boot variables in user mode in Firmware setup and push the CER file into the db key. Check which of the two formats is acceptable in db.
Use Signtool.exe (Part of Windows 10 SDK) to sign the respective Rufus Bootloader and NTFS driver using the PFX file.
signtool sign /tr /td sha256 /fd sha256 /f "C:\mycert.pfx" /p <password> "K:\EFI\Boot\bootx64.efi" And also K:\EFI\Rufus\ntfs_x64.efi. K: is Pen Drive’s drive letter for example.
Boot using Rufus created NTFS formatted pen drive on target computer with Secure Boot ON.
Option 3 – Check if your UEFI Firmware on Target Computer indeed supports NTFS booting.
If so, just extract the ISO on NTFS formatted pen drive and just boot thru it with Secure Boot ON. Some UEFI Firmware implementations do support NTFS. My MSI B450 Chipset based board with AMI UEFI Firmware does indeed support NTFS booting. I do not even need Rufus for installing Windows 10 in UEFI Mode.
I finally found out what my problem is and decided this is information that should be easily searchable, so it goes up on SuperUser.
In order to be able to boot a Windows 10 install USB stick on a UEFI with Secure Boot environment, the stick must be using the GPT partition scheme AND must be formatted using FAT32. If this is true, the stick will work.
FAT32 comes with a big limitation however. Any file larger than 4GB is not supported on FAT32. If your slipstreamed stick has a file that is larger than 4GB, RUFUS automatically detects this and removes FAT32 from the possible options and defaults to NTFS. GPT+NTFS does not allow for Secure Boot, so this is not going to work.
When you use NTLite to create an install medium, the first step is to convert the ESD to the WIM format, the install.wim generated by NTLite is going to be big. In my case, the install.wim for Windows 10 20H4 was 6GB, and thus is not supported by FAT32.
The solution to my problem was to not keep it in the WIM format, but convert it back to ESD in the last step in NTLite. The building of the ISO took considerably longer, but the install.esd file was now 3,5GB. Small enough to be on a FAT32 filesystem, and as such RUFUS correctly detected GPT+FAT32.
So... TL;DR: Make sure that you convert back to ESD in NTLite, then RUFUS will allow you to choose GPT+FAT32.
Did you try making an Easy2Boot multiboot USB drive and copying all your ISOs over to it? If you add the agFM UEFI boot files when prompted, you should be able to secure UEFI64-boot from the 2nd FAT32 partition and then install from any ISO on the first partition.
1
