The obscure registry hack of the day is...
>rolls (loaded) dice - H/T >>105754625
"Configure an enhanced Boot Configuration Data validation profile"
(save this as UTF-16 LE, to make it a true REGEDIT5 file)
Windows Registry Editor Version 5.00

; Secure Boot, until Windows 8, 'measured' (Secure Boot-ese for 'checked')
; the BCD in a rather agggessive fashion: if anything much beyond the boot
; order elements had been changed, it would reject it as a 'modified boot
; path'. Microsoft, after fielding thousands of 'I just installed a language
; pack and my computer won't start' support calls (caused by the 'locale'
; elements in the BCD changing), realised their mistake and relaxed the 'BCD
; validation profile', removing all but a few elements (mostly the actual
; device and file name elements) from 'measurement'. While this certainly
; made it more 'yooser frenly' (and stopped the above support calls), it
; also reduced Secure Boot's ability to detect tampering with the early-boot
; files - the exact thing it was designed to protect against.
;
; So, to appease the security nutters who cried foul, Microsoft included a
; new Grop Policy along with Windows 8 to specify extra elements in the BCD
; validation profile, which will additionally be checked during Secure Boot's
; BCD measurements. As an aside, they also included another policy to REMOVE
; elements from this validation profile, but that's outside the scope of this
; hack.
;
; Anyway, adding an element is pretty simple: it's just a bunch of lines (REG_
; MULTI_SZ) in '<entry>:<value>' format: <entry> is a BCD 'application' type,
; such as 'winload', 'memtest' (without quotes) or similar, or 'all' (again,
; without quotes) to apply it to all BCD application entries. <value> is a
; specific value name to protect, such as 'hypervisordebugport', (if you're
; feeling masochistic) 'locale' or (if you're an adventurer) '0x16000074'
(cont'd)