How to Install a Fresh Windows Booted from UEFI Secure Boot using a Bootable USB

Motivation:

Most of Windows machines are delivered with a limited Windows version and unnecessary preinstalled software.

You want to format the hard drive and install a fresh Windows that can be booted from UEFI secure boot to improve machine performance and stability.

Prerequisites:

You need to have a 8Gb USB stick and an ISO file of Windows 10, version 21H2 or Windows 11, version 23H2.

Solution:

Step 1: Backup your machine and create an USB recovery by entering “Create a recovery drive” text to the search box on the task bar and follow the instructions.

Step 2: Create a bootable USB with Windows installation files.

If you plan to install Windows 11 then you can use Windows 11 Installation Assistant to create a bootable USB (click Download Now link below Create Windows 11 Installation Media section), and skip the commands below.

If you plan to install Windows 10 then you can use the commands below to create a bootable USB.

  • Right click Windows logo, click Command Prompt (Admin).
  • Enter diskpart.exe, press Enter.
    DISKPART> list disk
    DISKPART> select disk 1 -- the USB disk should be selected, the number may be different in your machine.
    DISKPART> clean
    DISKPART> create partition primary size=1024
    DISKPART> select partition 1
    DISKPART> active
    DISKPART> format quick fs=fat32
    DISKPART> assign
    DISKPART> create partition primary
    DISKPART> select partition 2
    DISKPART> format quick fs=ntfs
    DISKPART> assign
    DISKPART> exit
  • Double click on the Windows ISO file to create a virtual drive.
    xcopy f:\sources\boot.wim d:\sources\ /s /e
    
    where 
    f: the virtual drive and 
    d: the USB fat32 partition.
    We copy only the f:\sources\boot.wim file to d:\sources\.
    
    robocopy f:\ d:\ /IS /S /XD sources
    
    where 
    
    f: the virtual drive and 
    d: the USB fat32 partition.
    We copy everything from f:\ to d:\ except the sources folder.
    
    xcopy f:* e:\ /s /e 
    
    where 
    f: the virtual drive and 
    e: the USB ntfs partition.

Step 3: Install Windows.

  1. Plug the USB to a machine.
  2. For a Dell laptop, power on the machine, press F12 until a one-time boot up menu appears. Select the option to boot the machine from the USB. (You may need to access BIOS to select the UEFI option for Boot Sequence, and select the AHCI option for SATA operation).
  3. For a Sony VAIO laptop, power off the machine, then press the Assist button to enter VAIOCare. Select the option to boot the machine from the USB. (You may need to access BIOS to enable the option to boot the machine from an USB).
  4. For a ThinkPad laptop, power on the machine, press F12 until a one-time boot up menu appears. Select the option to boot the machine from the USB. Alternatively go to Settings > Update & Security > Recovery, click the Restart now button under the Advanced setup section and follow the instructions to boot the machine from a USB.
  5. Follow the instructions to install Windows. Set Windows partition size to 614516Mb for DellPrecision if you want to have 600Gb C drive, or 262260Mb for DellXPS if you want to have a 255Gb C drive, or 819815Mb for ThinkPad if you want to have a 800Gb C drive.
  6. You can delete all the partitions, including MRP (Microsoft Reserved Partition – this is just a reserved partition for Windows later use if needed), ESP (EFI System Partition – this is where UEFI firmware files are stored to boot Windows), WINRETOOLS (Windows Recovery Environment (WinRE) Tools – this is where files for repairing or recovering Windows are stored), and PBR image (this is where original the manufacture Windows installation file  are stored) because you already created an USB recovery in the Step 1.

Step 4: Configure Windows for Developer’s needs.

  1. Change Computer Name, turn off System Restore, enable Remote Desktop,
  2. Change Time Zone.
  3. Add Wireless LAN Service feature for Windows Server 2019.
  4. For a Dell laptop, install Dell Wireless 1820A 1830 WiFi Driver. Set battery charge threshold value to 50% in BIOS.
  5. Turn on Network discovery and file sharing by clicking on Network icon on the left side of Explorer.
  6. Activate Windows.
  7. Disable Hibernation (powercfg.exe /h off).
  8. Configure Power options (Hard disk >> Turn of hard disk after: 0, Wireless Adapter Settings >> Power Saving Mode: Maximum Performance, Sleep >> Sleep after: 0).
  9. Uninstall unnecessary applications.
  10. Use the manage-bde -status command to show BitLocker status (There is a space between bde and status). Use the manage-bde -off C: command to turn off BitLocker for the C drive.
  11. Turn on Automatic Logon.
  12. For a Dell laptop, go to Dell Support, scroll down and enter your Dell laptop service tag, click Search button, click Drivers & Downloads tab, expand Find drivers section, install Dell Command Update, and use it to check and install necessary drivers.
  13. For Windows Server 2019, install Chipset Device, Graphics, Audio, Ethernet, Bluetooth, Memory Card Reader, Dynamic Platform and Thermal Framework driver.
  14. For a ThinkPad laptop, install Lenovo Vantage. Set battery charge threshold value to 40% using Lenovo Vantage.
  15. Turn the following Windows features on: .NET 3.5, ASP.NET 4.8, Hyper-V, Internet Information Services, Telnet Client.
  16. Install Total Commander, Office 365 Offline, MS Project 2016, MS Visio 2016, MS SQL Server 2016, Visual Studio 2022, Adobe Acrobat Pro DC v15.8, Adobe Photoshop CC 2015, TortoiseSVN 1.14.6
  17. Install Remote Desktop Connection Manager, PuTTY 0.80, WinSCP 6.3.
  18. Create a VPN connection. Configure the VPN connnection.
  19. Prevent normal traffic from going through VPN: Go to Control Panel >> Network and Sharing Center >> Change adapter settings >> Right click VPN Connection >> Properties >> Select the Networking tab:
    – Disable Internet Protocol Version 6 (TCP/IPv6).
    – Select Internet Protocol Version 4 (TCP/IPv4) >> Properties >> Advanced >> IP Settings: Uncheck the Use default gateway on remote network option.
  20. Install Python 3.6.8, TensorFlow, Keras
    1. Install Firefox, MPC-HC.1.7.13. (Go to View >> Options >> Player and turn off all options under the History section. Go to View >> Options >> Playback and disable the Auto-zoom feature.)
    2. Configure secure protocols using IIS Crypto GUI (Select Best Practices, disable TLS 1.0, TLS 1.1, MD5, SHA).
    3. Install Hyper-V, create an external Virtual Switch for Internet access, set Scheduler Type to Core.
    4. Apply Windows updates to the machine.