Deploying Windows Server 2016 to Intel NUC devices

The Intel NUC  devices have turned out to be a great machine for a small but efficient Hyper-V host. The challenge is that Intel doesn’t get that, and in fact block their network adapter device drivers for Windows Server 2016. In this post you learn how to fix this properly.

When it comes to solving the Windows Server 2016 network drivers issues for the Intel NUC device, the best option is:

Sign the Driver Like a Boss!

This is where you want to be, and for this you need get a real driver certificate that is cross-signed with Microsoft. I ended up buying Kernel-Mode Code Signing Certificates from Digicert for 223 USD (1 year) but I have seen deals as low as 178 USD / year. I just happen to like Digicert because they are awesome. Here are the steps for fixing and signing the Intel network drivers for Windows Server 2016. In these steps I assume you have bought a certificate:

1. Download the Intel NUC network driver for Windows 10 (LAN_Win10_64_20.4.1.exe) from http://downloadcenter.intel.com/download/25517/LAN-Intel-Gigabit-Ethernet-Controller-driver-for-Intel-NUC and extract to a folder.   
2. The driver you want to modify is in the LAN_Win10_64_20.4.1\PRO1000\Winx64\NDIS65  folder. In this guide I created a new folder, C:\Drivers\IntelNUC, and copied the copied the NDIS65 folder to it.

   
   The NDIS65 folder copied from LAN_Win10_64_20.4.1\PRO1000\Winx64.

3. Modify the e1d65x64.inf file per below instructions
4. Copy the highlighted section:

   
   The section to copy.

5. In the [Intel.NTamd64.10.0] section, paste it under %E15A2NC.DeviceDesc% = E15A2, and save the file.

   
   The copied section added.

6. Download and install Windows Driver Kit (WDK) 10 from: http://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx Don’t worry about the notes saying you must have Visual Studio 2015 installed, because you don’t.

   
   Installing Windows Driver Kit (WDK) 10. 

7. Since you modified the e1d65x64.inf file you have broken the signing. To fix this you generate new catalog files, and sign them with your certificate.
8. Generate the new CAT files by starting an elevated PowerShell prompt and run the following commands:

   cd "C:\Program Files (x86)\Windows Kits\10\bin\x86"

   .\inf2cat.exe /driver:"C:\Drivers\IntelNUC\NDIS65" /os:Server10_X64

      
   Generating the catalog files.

9. Next up is to sign the catalog files using the Signtool.exe utility. Download the "DigiCert High Assurance EV Root CA.crt" from digicert to the folder where you have signtool.exe, and run the following command:

   signtool.exe sign /v /ac "DigiCert High Assurance EV Root CA.crt" /s My /n "Deployment Artist AB" /t http://timestamp.digicert.com /sha2 56C1CB59A3EC082164DCA7F022CB60E03D8B8BDB "C:\Drivers\IntelNUC\NDIS65\e1d65x64.cat"Note: Don’t use Firefox to install the root certificate, because Firefox have their own certificate store, and don’t use the Windows one. Also you need to replace the above command with your certificate name and thumbprint. Also the DigiCert utility seems not working 100 percent ok in Windows 10, but signtool.exe does.

   
   

   
   Signing the file(s).