Enable UEFI mode in firmware
Disable Legacy BIOS/CSM boot
Update BIOS/UEFI firmware to the latest version
Set a strong BIOS/UEFI administrator password
Enable Secure Boot in firmware settings
Use signed bootloaders and signed operating system kernels
Keep Secure Boot keys in default or approved state
Enroll custom keys only if required and managed securely
Enable TPM if supported
Enable full-disk encryption
Protect boot order from unauthorized changes
Disable boot from external media when not needed
Restrict physical access to the device
Use trusted recovery media only
Verify Secure Boot status after installation
Monitor for firmware changes and boot integrity issues
