Secure Boot support on a custom-made PC with Windows 10 Pro

Solution 1:

CSM Mode should never be enabled for an OS, as its sole purpose was to support distros that didn't yet support EFI boot circa <2017 (Windows ≥7 supports EFI boot); CSM Mode emulates BIOS' 16bit architecture within a 32bit environment and doing so will cause performance degradation (boot times increase by 400%+, GPT can't be used, etc.)

• The only reason to enable CSM Mode is when needing to access a legacy OP[tion] ROM, and once done in the OP ROM, CSM Mode should be re-disabled
  
  

To resolve:

1. Windows 10 installation media → install on another PC → Save ISO
2. Create bootable USB with Rufus → Reboot → Disable CSM Mode in the UEFI firmware
3. Boot Windows install USB → When GUI loads, open terminal via Shift+F10
4. Use mbr2gpt to convert partition table to GPT:
   1. Ascertain OS disk #: DiskPart → lis disk → exit

   2. mbr2gpt /convert /disk:#
      

      
      
5. Create required UEFI-boot partitions on the OS HDD via DiskPart:
   1. DiskPart → lis disk → sel dis # → Verify it's the OS disk: lis par
   2. Delete old boot partition: sel par # → Verify: det par → del par override
   3. Determine disk layout: lis par (optimal partition layout: WinRE, EFI, MSR, OS)
   4. Add requisite UEFI partitions:
      1. WinRE:
         Select OS partition: sel par 1 → Verify it's the OS partition: det par

         Shrink Desired=665 minimum=650
         Cre Par Pri Size=665 Id=de94bba4-06d1-4d40-a16a-bfd50179d6ac
         Format Quick Fs=NTFS Label=WinRE
         Gpt Attributes=0x8000000000000001
         

      2. EFI and MSR:
         Select OS partition: sel par 2 → Verify it's the OS partition: det par

         Shrink Desired=388 Minimum=388
         Cre Par EFI Size=100
         Format Quick Fs=FAT32 Label=EFI
         Assign Letter=Y
         Cre Par Msr Size=16
         

   5. Get OS partition drive letter: lis vol → exit
      ^{(C: is usually not the OS drive letter in WinPE/WinRE)}
      
      
6. Configure EFI boot:

   ::# Create EFI directories and enter:
       MkDir "Y:\EFI\Microsoft\Boot"
       Cd /d "Y:\EFI\Microsoft\Boot"
   
   ::# Create EFI boot structure:
       BootRec /Fixboot
   
   ::# If Access Denied error occurs (C: is OS partition):
       BcdBoot C:\Windows /s C: /f UEFI
   
   ::# Resolve any other boot issues:
       BootRec /FixMBR && BootRec /RebuildBCD
   

   Remove EFI mountpoint: DiskPart → Sel Vol Y → Remove → Exit
   
   
7. Reboot via wpeutil reboot, then configure WinRE once booted back to Windows:
   1. Open an Admin Terminal: +R → Open: powershell → CTRL+SHIFT+OK
   2. Mount WinRE partition via DiskPart:
      lis vol → sel vol # → Verify: det par → Assign Letter=Z → Exit
   3. Extract WinRE.wim from the Windows install USB's sources\install.wim||.esd:

      # Get list of images [indexes] within the ESD/WIM:
        Dism /Get-ImageInfo /ImageFile:"E:\sources\install.wim"
      
      # Mount install.wim||.esd (usually index 1: Home | 6: Pro):
        MkDir "C:\Mount" ; Dism /Mount-Image /ImageFile:"E:\sources\install.wim" /Index:1 /MountDir:"C:\Mount" /ReadOnly
      
      # Copy WinRE.wim:
        Xcopy "C:\Mount\Windows\System32\Recovery\WindowsRE\WinRE.wim" "C:"
        # If hidden file: Xcopy /H
      
      # Unmount image, discard changes:
        Dism /Unmount-Image /MountDir:"C:\Mount" /Discard
      

   4. # Copy WinRE.wim:
        MkDir "Z:\Recovery\WindowsRE" ; Xcopy "C:\WinRE.wim" "Z:\Recovery\WindowsRE"
      
      # Disable WinRE:
        ReAgentC /Disable
      
      # Set Custom WinRE Path:
        ReAgentC /SetREimage /Path "Z:\Recovery\WindowsRE"
      
      # Enable WinRE and verify:
        ReAgentC /Enable ; ReAgentC /Info
      
      # Cleanup:
        Del "C:\WinRE.wim" ; RmDir "C:\Mount"
      

   5. Remove WinRE mount point: DiskPart → sel vol z → remove → exit