So, I came back across this thread (over two years later) having revisited this topic. My initial experiments were with a MacBook Pro (15-inch, 2016), a Mac that doesn't have the T2, but DOES have (a) the T1 and (b) plenty of non-standard components (way more than any Mac from 2014 and earlier that you'd totally be able to get away with just using an unmodified Windows 10 Install USB drive and the latest version of that Mac's Boot Camp installer for Windows).
Effectively, the problem that you'll have on a newer Intel Mac that doesn't have the T2 [and again, my only experience so far has been with a MacBook (Retina, 12-inch, 2017) and a MacBook Pro (15-inch, 2016)] is that you will need to bake in the right drivers for Windows. The SSD, keyboard, and trackpad will be obvious ones that won't be recognized by either the bootable installer's OS or the OS installation payload itself.
What I did for the MacBook Pro (15-inch, 2016) was the following:
- Install the latest version of macOS on it (in this case, that Mac only goes up to macOS Monterey)
- Run the Boot Camp Assistant, but only to download the "WindowsSupport" software and pop that on a FAT32 or exFAT formatted USB drive
(Of note, I discovered the existence of
Brigadier, a utility that will fetch the latest Boot Camp installer for a given Mac model identifier [e.g. MacPro6,1 or MacBookPro16,2] in either Windows or macOS; so you don't necessarily HAVE to get the Boot Camp software from the Boot Camp Assistant if you don't want to)
- Take a different USB drive and format that as FAT32
- Download and run the Windows 10 Media Creation Tool on another Windows PC (could be running any version of Windows, but with seven days left of support, you probably don't want to use Windows 8.1) and run it, targeting the second USB drive.
- Extract the install.esd and boot.wim files from the sources folder
- For install.esd, use the dism command to extract the one index containing the edition of Windows you're wanting to install (in most cases, this will be either "Windows 10 Home" or "Windows 10 Pro") into its own install.wim file
- Mount the install.wim file using dism to an empty folder
- Use dism to add drivers from the $WinPEDriver$ folder in the "WindowsSupport" folder you copied to the other USB drive; I used the "/Recurse" option so I'd get them all
- Since the WiFi driver is missing from that folder for that particular machine, you'd want to download and install 7zip and then extract the individual installer for the WiFi driver (assuming you want to be able to make your first user account in Windows be a Microsoft account that you already have rather than a local account) into a folder (where there will be the driver .inf file that you can add using dism)
- Commit the changes and unmount the image using dism
- Mount the boot.wim file using dism (optionally to that same empty folder; doesn't matter where you do it so long as the command is able to find the folder you specify, but that might be more convenient); There are two indexes, and you'll want to do this with both of them
- Once again, use dism to add drivers from the $WinPEDriver$ folder in the "WindowsSupport" folder you copied to the other USB drive; I used the "/Recurse" option so I'd get them all - You do not need to add the extracted Wi-Fi driver since boot.wim is solely the Windows installation environment
- Commit the changes and unmount the image using dism; repeat for the second index
- Copy the modified boot.wim file back to the sources folder on the drive you turned into a bootable Windows 10 install drive
- Before you are able to do the same with the modified install.wim file that you added drivers to, you will need to split the wim file into two smaller files (as, believe it or not, the install.wim file is actually much larger than the install.esd file that it came from and you're still dealing with FAT32 which has a file size limitation); dism's got your back there too - You will only need to split it into two files, install.swm and install2.swm
- On the bootable Windows drive, delete install.esd and replace it with your two newly minted install.swm and install2.swm files in the sources folder on the Windows 10 USB drive
- Done
And mind you, all of that is just so you can get into Windows and properly install the Boot Camp software package which will take you the rest of the way to a smoothly running Windows installation on your Mac.
One thing that is a sticking point for a T1 Mac (so, basically any 2016 or 2017 MacBook Pro that has a Touch Bar) is that the Touch Bar and the camera and a few other devices on the Mac are run by the T1. It's nowhere near as much as what the T2 does, but it's still enough to factor in.
Where the T2 chip runs bridgeOS from its own storage (not positive that it has its own storage, but I'm like 85% sure), the T1 chip runs a different OS called "embeddedOS" from the hidden "EFI" partition.
You CAN take a drive made from the procedure I briefly outlined here and make a drive that will install on the MacBook Pro (15-inch, 2016), if not other T1 Macs as well.
However, if you wipe every existing partition on the Mac, using the Windows installer (like you are able to do without consequence on a 2014 or earlier Intel Mac), you have the following issues once you're in Windows:
- The FaceTime HD camera won't be recognized by Windows at all
- The Touch Bar will be off and non-functional
- Until you update to the very latest version of Boot Camp, you'll keep getting periodic error messages about the Boot Camp Software not being installed properly that prompt you for a reboot (Spoiler Alert: it keeps happening after the reboot)
There are probably others, but those were the ones I found.
SO, when using the Windows installer, LEAVE THE EFI PARTITION ALONE! There will only be that partition (which is a small triple digit number of megabytes large) and the actual partition macOS was installed on. Just delete the partition macOS was on and target the Windows installation to go there. Windows will know how to interact with the EFI partition and, most importantly, all of the things that run from the T1 chip will work.
It's a little kludgier and it still requires that there was a working installation of macOS on there before the wipe, but you can still have a macOS-free installation of Windows on a newer Intel Mac that has a T1.
Now, I grant that this thread is primarily about the T2. Currently, I have a MacBook Air (Retina, 13-inch, 2019) that I got from work as a guinea pig. [It's funny to see how the original post aged as I ended up getting a MacBook Pro (13-inch, M1, 2020) and a MacBook Pro (16-inch, 2019) instead of the MacBook Pro (13-inch, 2020, Four Thunderbolt 3 Ports) model I had talked about.] I'm more or less using the same method to create the USB drive that I used on the MacBook Pro (15-inch, 2016). So far, it's a little perilous as many of the Intel chipset drivers are unsigned for some reason and x64 versions of Windows require that drivers be digitally signed in order to install (you can override this when using dism, but that honestly makes me a little uneasy).
Other than the USB drive creation process itself, there are additional T2-specific hurdles. Specifically, with Startup Security Utility settings:
- You have to enable external boot drive support - this is probably obvious and a given and no big deal
- You will not be able to boot the USB Drive with either "Full Security" or "Minimum Security" Secure Boot setting options
The first of those is, again, no big deal. The second one has interesting implications:
For one, Apple's own documentation on Boot Camp with T2 Macs suggests that (when using the Boot Camp Assistant to create the Windows partition to be used alongside macOS) one should have the Secure Boot setting set to "Full Security" prior to the Boot Camp installation but also that it won't matter what that setting is set to thereafter. Presumably, you can't set an OS installed with a lesser security setting than "Full Security" to "Full Security" after the fact.
Couple this with the fact that any external Windows installation media (including vanilla drives made with the Media Creation tool that are not modified with dism) can only boot with "No Security" set for Secure Boot in the Startup Security Utility and what your left with is the following notion:
Windows installations made with the Boot Camp assistant running in macOS will have the benefit of Secure Boot and can run with any Secure Boot option set (so long as "Full Security" is on when the Boot Camp partition is made to begin with), but Windows installations made with no macOS presence whatsoever have to be done with the "No Security" option with the Windows installation likely never being able to use Secure Boot (since Apple's implementation of Secure Boot with the T2 is extra strict; way more strict than that of your average 2012-present era Windows 8.1-11 PC).
Given that having Secure Boot enabled is a requirement of Windows 11, this likely also means that, assuming Apple ever offers support for Windows 11 via Boot Camp on Intel Macs, it will be (a) limited to T2 Macs (since Apple offers no other Secure Boot implementation on non-T2 Intel Macs) and (b) impossible to install via a USB drive in such a way that you're left with a perfectly supported installation.
I've yet to go past making the modified USB drive for my MacBook Air (Retina, 13-inch, 2019). Will update this thread on how that goes. I'm guessing it'll be fine and that my only real limitation is that I won't be able to use Secure Boot [making it effectively no different than the experience of Windows 10 on the MacBook Pro (15-inch, 2016)]. I'll definitely look to see whether or not nuking the EFI partition matters and what other T2-isms I'll have to face in Windows.
I'll probably do a detailed guide for those doing what I did with a T1 Mac and/or for the detailed steps to slipstream the Boot Camp drivers onto a Windows 10 USB drive if anyone wants it. What I did is easily translatable into an MDT or SCCM workflow (just so long as the previously-made EFI partition is left intact on T1 Macs). Will update accordingly when I'm on the other side of doing this with a T2 as well as the differences that I notice with the Startup Security Utility settings and Windows with Secure Boot between a USB install and a Boot Camp Assistant driven install.
Sorry about the delay in response, I have been extremely busy with work and this is the first time I have signed into MacRumors in quite a while. We are currently using 27" iMacs that I thought had the T2, but it never occurred to me that there would be any issues with it since we inject the Boot Camp driver package as part of our task sequence with MDT. You do have me intrigued and now I am half tempted to try installing Windows solely on my work 16" MBP as a test.
My turn to apologize for an EVEN LONGER delay in response. Would still be curious as to whether or not the iMacs in question that you have are 2020 models or 2019 models. I'd imagine that you'd still need to inject the Boot Camp drivers into both the installation wim file as well as whatever boot wim file, but maybe 2019 iMacs behave more like 2014 and earlier Macs when it comes to custom hardware that you NEED drivers injected for. And yeah, definitely test your work 16" (assuming you're still at that place and still have that machine). Would be interested in the results!
I did exactly this on a 2018 Mac mini a couple of weeks ago. The information is out there but very hard to get it. The process is really easy.
I am just heading to bed but if anyone is interested I will make a step by sleep guide for you.
I'd be very interested in what you did to compare notes. I'd imagine there's less that the T2 has to do on a Mac mini than on a MacBook Pro, but I'd still be curious.
I came across
this dude's guide. And he mostly did the same stuff I did. Though, he didn't use dism to make an installer drive with all the drivers baked in. But he did use Brigadier (which is how I found out about it), so that's cool. Would be curious to see how your findings differ, if at all.
