Since version 1903 of Windows 10, the ISO images available on MSDN contain install.wim image which is larger than 4GiB file size limit of FAT32 partition. Secure boot does not boot from NTFS-formatted USB sticks, which leads to a problem where its not possible to install Windows in UEFI/secure boot mode.
The solution to this problem is to create 2 partitions, FAT32 for hosting just the boot files, and a larger NTFS for hosting the rest of installer image.
Step by step instructions
Step 1: Create and format partitions
Right click Windows logo, click Command Prompt (Admin).
Enter diskpart.exe, press Enter. The following commands all occur at the "DISKPART>" prompt. After listing disks, make a note of the disk number which matches inserted USB stick (based on size/etc). Use that number in "select disk" command below.
list diskselect disk 1 (Where 1 is the disk number for USB stick. Usual warnings about not being an idiot apply.)
cleancreate partition primary size=1024select partition 1activeformat quick fs=fat32assigncreate partition primaryselect partition 2format quick fs=ntfsassignexitRemain in the admin command prompt for the following step.
Step 2: Copy boot and installer files
Double click on the ISO file of Windows 10, version 2004 (or newer) to create a virtual drive. Note the drive letter this creates. Enter the following commands, replacing drive letters as required.
xcopy f:\sources\boot.wim d:\sources\ /s /ewhere
f: the virtual drive and
d: the USB fat32 partition.
We copy only the f:\sources\boot.wim file to d:\sources\.
robocopy f:\ d:\ /IS /S /XD sources where f: the virtual drive and d: the USB fat32 partition. We copy everything from f:\ to d:\ except the sources folder.
xcopy f:* e:\ /s /e where f: the virtual drive and e: the USB NTFS partition.
Final notes
That's it! Close command prompt, eject USB, and reboot (or take the stick to whatever machine you will be installing).
