Create bootable USB with UEFI Secure Boot

In an earlier article, I explained how to download any version of Windows and create a bootable USB to install it. I also walked you through the steps of how to actually boot from the USB drive. However, the USB drive created by Rufus does not support Secure Boot. Here’s an alternative way to create bootable USB with UEFI Secure Boot enabled.

What is Secure Boot?

Secure Boot is a feature of the UEFI specification supported in Windows 8 and later. The UEFI spec defines the software between the operating system and the platform firmware. By preventing the loading of unsigned drivers or boot loaders, that is, software lacking a digital signature, Secure Boot will protect against early loading malware that infects the system firmware or loads before the operating system boots.

Limitations of Windows 10 Media Creation Tool

The Windows 10 Media Creation Tool will create a USB drive that you can boot from even when Secure Boot is enabled in the UEFI. But the problem is that this tool only supports Home and Pro editions of Windows 10. If you are using Windows 10 Enterprise or Education editions, you will have to use another method.

Limitation of many PCs being unable to boot from USB from NTFS

Another problem is that many PCs can only boot from USB if the primary partition on the GPT disk is FAT or FAT32. If you make a bootable USB drive with only NTFS or exFAT, the UEFI/BIOS environments of many PCs are unable to see those partitions and boot from them. Rufus also gets around this issue by creating a separate smaller FAT partition to boot from, and a bigger NTFS partition which contains the Windows 10 Setup files. But Rufus does not support Secure Boot.

Limitations of FAT/FAT32 file systems

So why not use FAT32 only on the bootable USB drive you may wonder. The problem you may face if you use FAT32 as the only file system and a single partition on the USB drive is that the FAT32 file system does not support files larger than 4 GB. Windows 10’s Setup files contain install.wim or install.esd. This file is much larger than 4 GB these days for 64-bit versions by default. In fact, the install.wim for Windows 10 Enterprise, Version 21H1 is 4.45 GB.

If you have a customized install.wim captured from your own PC using DISM, it may be even larger. FAT32 also has a disk partition limit of 32 GB if formatted from Windows File Explorer or Disk Management. Your customized Windows install.wim image may be even larger than 32 GB if it contains lots of apps.

Creating a bootable USB drive with UEFI Secure Boot and overcoming these limitations

The solution is to use the built-in Windows tools to create the bootable USB drive. Windows contains diskpart.exe, a command disk partition management tool, which is much more powerful and capable than its GUI counterpart, Disk Management. Let’s see how to create bootable USB with UEFI Secure Boot with none of the above limitations.

Note: This will erase everything from the USB drive so back up any data on it first somewhere else.

Download the ISO

First, download the ISO of Windows 10 from Microsoft. Then double click the ISO to mount it or right click the ISO and choose Open With… Explorer. Windows will mount the ISO as a drive letter. Note this drive letter.

Diskpart for listing and carefully deleting all partitions

Next, connect the USB drive and type Diskpart into Start search or the Run dialog (Win + R). Confirm the UAC prompt by clicking Yes, so that Diskpart will start.

Once you see the blinking cursor in Diskpart, type:

list disk

…and press Enter. Diskpart will list all the connected disks on your PC.

Diskpart is one method to create bootable USB with Secure Boot

Note the disk which is your USB flash drive by observing its capacity (size). The internal disks will be much larger. For example, Disk 3 is my 64 GB USB flash drive in this example image from my PC (listed as 57 GB).

Next, type:

select disk 3

…and press Enter. Substitute 3 with the appropriate number for your USB drive. Don’t select the wrong disk at this stage. Diskpart will give a message that it selected the disk. Now to delete all partitions on it so you can create fresh partitions properly, type,

clean

…and press Enter.

If File Explorer automatically opens at this stage, click Cancel.

File Explorer shows this dialog when diskpart hasn't created partitions on it

The clean command will delete all partitions on the drive destroying all data too.

Diskpart to create and format FAT32 partition

Now we need to create a FAT32 partition to boot from, of just the correct size to hold the files required to start Windows 10 setup without wasting too much disk space on the USB drive. This is because the other partition needs to contain bigger files. Type the command:

create partition primary size=700

…and press Enter. This creates a partition of 700 MB size. Diskpart will give a message that it succeeded in creating the partition. Now type:

format fs=fat32 quick

…and press Enter. After the volume is formatted as FAT32, Windows File Explorer may open again depending on your AutoPlay setting. Close it again or ignore any Autoplay prompts.

Diskpart lets you create bootable USB with Secure Boot

Diskpart to create NTFS partition

Next, type the following command (this is for the NTFS partition containing large Windows 10 setup files):

create partition primary

…and press Enter. If you don’t specify a size, all the available space will be used to create the larger partition.

Formatting NTFS partition

Windows File Explorer may ask you to format it. Click Format disk.

Format a disk prompt in File Explorer

In the next dialog box that comes up, choose NTFS as the File system and Allocation unit size as 512 bytes. Allocation unit size can be left as Default but the smaller the allocation unit size, the less space will be wasted on the drive for smaller files. Make sure Quick Format is checked and click Start inside the Format dialog.

Accept the warning that formatting will erase all data by clicking OK. Then click OK in the Format complete dialog. Close File Explorer.

Format dialog in Windows

Note: If Explorer doesn’t open automatically and ask you to format the big partition after typing create partition primary, don’t worry. You can format it from Diskpart itself by typing this single command:

format fs=ntfs quick

Now you can close Diskpart with the red ❌ close button or by typing Exit.

Copying Windows 10 Setup files to FAT32 partition

Open File Explorer and from the left pane of Explorer, go to the drive which has Windows 10 Setup files (the one whose ISO you mounted earlier).

Select all items (all folders and files) by pressing Ctrl+A and then exclude the Sources folder by holding down the Ctrl key on the keyboard and left clicking Sources. Right click the selected items and click Copy. Now go the drive letter of the small partition on your USB drive (FAT32) and Paste the files there (right click in an empty area and choose Paste). Windows will start copying files to the USB using File Explorer. Let it finish.

Which files you need to copy where to create bootable USB with Secure Boot

Copying Windows 10 Setup files to NTFS partition

Once it is finished copying, go back to the Windows Setup files on the ISO drive letter you mounted. Right click the Sources folder and select Copy. Now go to the drive letter of the big partition on your USB drive (NTFS) and Paste the Sources folder there. Windows will start copying files to the USB using File Explorer. Let it finish. This may take longer since the Sources folder contains install.wim or install.esd which is the Windows 10 disk image used for installing Windows.

Moving Boot.wim to FAT32 partition

Once all the files are copied, go inside the Sources folder on the USB and locate the file Boot.wim. Right click Boot.wim and select Cut. Go back to the smaller FAT32 partition of 700 MB. Create a new folder there called Sources, go inside it and then paste Boot.wim there inside the empty folder.

You see, boot.wim is the disk image containing the files to start Windows 10 Setup. Therefore it needs to be on the FAT32 partition along with the EFI, Boot folders and Bootmgr, bootmgr.efi and the other files.

That’s it, you are done splitting the Windows 10 setup files across 2 partitions on the USB drive.

You just learned how to create a bootable USB with UEFI Secure Boot. Now you can boot from it without disabling Secure Boot.

Use Windows install USB disk to repair your computer

The disk you created can also be used to access the Windows Recovery Environment by choosing Repair your computer once you boot from it. Unlike the Recovery environment on your internal disk, it does not need logging in to your user account to perform basic troubleshooting and repair tasks from a command prompt.

Repair

Keeping the USB drive updated with future versions of Windows

Several new versions of Windows will be released after you create this USB disk. But you don’t need to format your USB drive over and over again now that it is bootable or use any tool that repeatedly formats it. Assuming that the layout of Windows 10 setup files stays the same over the next many releases, you can simply copy the newer files in place of the older ones on both partitions correctly.

Installing Windows 10 from the USB drive from within Windows

If you wish to start Windows 10 Setup from an existing installation of Windows using this USB drive, you will need to combine the contents of both partitions on the USB drive into a single folder on your PC. That is, copy the contents of both partitions into one folder before starting Setup.exe from there.

Credits for this excellent guide go to Winaero.com.

This guide to create bootable USB with Secure Boot will not work for pre-UEFI PCs. For PCs which use BIOS/MBR or UEFI with Compatibility Support Module enabled, the method is different as there is no Secure Boot possible without UEFI. That method also involves using Bootsect.exe to make the USB bootable and the disk partitions must be MBR-compatible. However, as of 2021, all PCs ship with UEFI only.

Leave a Reply

Your email address will not be published. Required fields are marked *