You may want to install Windows Server 2016 directly on a fully UEFI enabled system in order to be able to enforce the Secure Boot and make use of features such as Device Guard (Credential Guard) or the Hyper-V isolation and TPM virtual smart cards.
To have Secure Boot propagated the whole way up to a fully booted operating system, you have to clean install directly with all the UEFI support enabled (I have already covered some of it in a previous post about Secure Boot in Windows 10). On my current platform it does not work even if I only leave the CSM (compatibility support mode enabled) so what I need is a fully UEFI and Secure Boot enabled installation media which was not required on my previous trials with an older hardware and Windows 10. I plan installing from a pen flash drive. As it turns out, there some challenges though.
Requirements and challenges
Go into your BIOS (now called UEFI) and make sure you have:
- CSM (compatibility support mode) disabled - this prevents booting anything else than correctly digitally signed UEFI Secure Boot operating system, in our case the Windows 2016 setup from the installation media.
- all legacy OpROMs disabled
- Administrator password for entering the BIOS enforced - without admin password Secure Boot does not work
- Secure Boot enabled
The installation media based on USB pen flash drive must meet the following criteria:
- be GPT (GUID partition table) formated - we cannot use MBR style harddisk format, UEFI requires the newer format called GPT
- have a single partition formated with FAT32 - unless you are extremelly lucky, you cannot use NTFS. The UEFI BIOS needs to be able to read the contents of the partition and kind of logically they understand FAT32 only. You cannot create more partitions on the USB flash drive, because it is advertised as a removable media into operating system and thus it prevents you from creating more than a single partition. Some USB flash drives may have the option to flip the "removable bit" (also called RMB), but it is always kind of a hack for hours long fun during long winter nights.
And here comes the problem. Windows 2016 installation contains INSTALL.WIM file in the sources folder which is more than 4.3 GB long. Unfortunatelly FAT32 file system can accomodate files of size up to 4 GB only. So you cannot put such a big file on FAT32 while you cannot use NTFS for the source partition.
So we have to split the install.wim file into two .swm files with DISM command line utility and it will make do.
- Obtain the Windows 2016 installation ISO and extract the files from it.
- Split the sources\install.wim file to several .swm files using the now built-in DISM tool:
dism /Split-Image /ImageFile:sources/install.wim /SWMFile:sources/install.swm /FileSize:4000
- It will create at least two install.swm and install2.swm files, or even more of them, if you specified a smaller file size or have had a bigger original install.wim image.
- Delete the original sources\install.wim file from the sources folder and keep there or copy there the swm files that you just produced in the previous step
- Obtain a pen USB flash drive that you want to use for the installation media
- Start DISKPART command line as Administrator
- Identify your flash drive with the following command (in my case it showed as disk number 3):
- Select the disk, clean it, convert to GPT and create the empty partition:
select disk 3
create partition primary
format fs=fat32 quick
- Copy all the installation source files containing the split swm files which your prepared previously into the newly formated flash drive. You have to copy all the files from the ISO, including the sources, boot and efi folders as well
And go install, it should work :-) Note that such a drive should be displayed in the UEFI BIOS as a boot option. If it is not, the UEFI BIOS didn't recognize the drive or didn't recognize it can boot from it and it will not boot anyway.