Establishing Procurement Policies Regarding Secure Boot

Firx writes: My university department has a tradition of selling its used computers and/or repurposing them with Linux for graduate students and science computer labs. With Windows no longer requiring one be able to disable secure boot, my department is writing up a procurement policy to ensure future machines we buy will still have this feature. Part of the draft motion reads

Be it resolved that computers running or intending to run Microsoft Windows purchased by the department which boot using the Unified Extensible Firmware Interface (UEFI) have the ability to disable the Secure Boot features for both local hard drive and network booting.

Is there something further we should be including here and what is the best way to explain the need for this policy to colleagues less technically literate? Thanks in advance!