I would very much like to see a copy of that agreement Microsoft has with OEM's.
I have 2 new motherboards, from 2 of the leading mboard manufacturers (Gigabyte and ASRock) and neither of them allow SecureBoot to be disabled. (The Gigabyte board allows UEFI boot to be disabled, which is not the same thing).
Also, how does it help security if the drive is locked to a single motherboard? I can't clone a linux drive, move it to another system, and boot it from there, even though I'm legally entitled to do so. This is just draconian DRM under the guise of "security".