9. Enable Secure Boot
At this point you can only enter UEFI BIOS by restarting Windows directly to UEFI Firmware:
Settings, Advanced Startup, Update and recovery, Recovery, Restart Now.
When WinRE starts, select
Troubleshooting, Boot to UEFI Firmware.
Once in UEFI BIOS, select Security tab and click Secure Boot: Enable, then click Install Default Secure Boot keys. This will offer protection from rootkits that try to install themselves to the bootloader.
The BCDBoot /f ALL command at configured the necessary UEFI BIOS settings by adding "Windows Boot Manager" to the list of bootable hard disk drives and enabled Ultra Fast Boot, which skips USB media check and UEFI BIOS hotkeys and goes directly to Windows boot. You may optionally disable Ultra fast boot and select Fast boot, so you can still enter UEFI BIOS at boot time by pressing Del or F2. (Options are valid for ASRock UEFI motherboards, your mileage may be different).