And how to you propose to get around the fact that all the code that you would need to replace won't run unless is it signed by Microsoft? At this point, the layers of verification from power on to logged in go deeper than firmware.
This is a silly question to ask. I personally haven't seen or even heard of any systems that don't permit you to disable boot code signature enforcement. Hell, even the Microsoft built Surface Pro 4 does; you can go right ahead and install Linux on the damn thing. Without enforcement there's no chain of trust, so you can patch wherever the hell you want.