forbidding windows to modify uefi partition files

Hello guys, i have no idea where to put it, but i have a strange situation here.
I have an hp laptop with highly cut down bios, and the only way to make it capable of dualbooting, is to place refind boot mannager files in efi\microsoft\boot\ folder, after coppying entire microsoft folder under a different name.
The problem is windows keep trying to modyfi that folder after any major update, and makes computer unbootable , unless i handfeed it with the copy of the windows loader file, or copy of the refind bootloader otherwise undetected by bios. Laptop can boot from file so i can go to linux, mount uefi boot partition and fix the damage. But windows will brick itself on the next boot probably.

Windows was installed first, then linux on another unbootable ssd that shouldn't even be there, the first ssd shouldn't be there either by hp design, so no hope for tech support from them. I literally soldered wires on motherboard for it to work, so i am kind of invested in the computer.

windows 10 home boots from a copy of bootloader located in uefi partition under a directory *:efi\old\boot\ where old is just renamed copy of microsoft folder
new microsoft folder has inside renamed redind.efi file that fools the bios it boots windows boot loader as normal so in efi\microsoft\boot i have file called bootmgr.efi which has nothing to do with microsoft, this file launch a gui boot loader which load efi boot driver for nvme drive, and then let me pick windows(from modyfied location) or linux from the other ssd

windows still thinks it's boot loader files are in efi\microsoft\boot folder and copy over oryginal boot loader files, but only the 2 *.efi files, and nothing else. after some updates that are normally performed at boot level (version upgrade and so on).
I would really like to either tell windows where it's boot files really are or make it aware it can't modyfi boot files

windows installed on the laptop is windows 10 home 64 bit 22h2 compilation 19045.3086
system boots in uefi mode, secure boot is disabled

if you have some ideas i would be very gratefull

That is actually more work than just pressing f9, booting to linux and copying 2 files back.
Still the update it wants to install would not install either way so it would try again on next time using windows and the story would repeat. forever.

Problem is Windows will break boot every time an update needs to install from outside of windows, but since it modyfying wrong boot files it will never even install.

The only way i know to stop it is to stop windows updates which i don't want.

Well i must confess the os bio is not up to date, because i don't really care, I run whatever i have at hand, so mostly some kind of windows from vista to 11 or some flavor of ubuntu and there is no point in updating it every time i change computer. and i am doing it 2-3 times a day if not more ofthen. I am not really attached to anything and i mostly work on os's my work have which are windows vista to 11 with expeption to 8. Or whatever comes with the computer And when i read the request to update i kind of get mad and didn't read the rest and then life got in a way to read it again. I am mostly hardware hack so sometimes it is easier to for me to solder momory stick on top of the motherboard than explain what is not working to another person. So sorry if i sound a bit pushy or seems to intentionally not adhear to the rules, it just kind of happen to me a lot.

As for screenshots, i don't think they change much, it is regular windows gpt efi partition layout (with recovery partition removed)
disk 0 is the sata sandisk system drive bios can boot from, containing windows 10, and i think it is a clean install, although it might ben installed on a different phisical ssd and cloned to this one because linux been fusy about the previous one

disk 1 is the nvme drive that under normal circunstances is not bootable because uefi bios does not contain pcie mass storage driver and is locked so can't be updated, but this disk is technically invisible to the windows during boot processand only loads as a pcie device driver in system

i also attach pictures of the screen with eror message , and step by step "boot from file" process that could be used by pressing f9 when windows does brick itself
boot from file>no volume name pci root (0:0)...> <efi> >and inside of efi folder is 6 subfolders:
tools- i don't know what this is, it was there , i don't touch it
hp - those are bios flashing utilities hp bios patcher generated
boot - is something ubuntu grub bootloader created while installing linux one time, not a concern, , since linux is different now it just drop you to grub shell
old - copy of microsoft folder with efi files that can boot windows 10 even after windows bricks itself
refind -copy of graphic interface boot loader capable of loading drivers to uefi shell, sadly not permanently to the bios rom
microsoft- is the default boot folder motherboard looks for on a drive and it only boots one file from there, copying refind inside and renaming efi file refind comes with to what microsoft created makes uefi boot to refind instead of windows and still thinking it boots to windows boot mannager, although secure boot handshake fails so secure boot is disabled.

on the first screen of f9 menu you can also see booting directly to the sandisk drive, that is legacy boot

i was kind of thinking about looking for uefi boot variables in registry editor, but that might be pointless if the boot manipulations are hardcoded in updates that fails to install bricking the boot process

- - - Updated - - -

sorry one picture got lost

This is kind of a hard problem. I'm wondering if setting the folder/folders to read only would work? But when I did that myself I got problems.

A hacker way to do it is to write the bootloader back immediately upon change. One way I would do it is with a USB rubber ducky...

So, say Windows updates, destroys your bootloader and Windows can't boot. Insert the Rubber Ducky and in a practical instant everything is copied back to normal... LOL!

You can probably build one too. You just need writing ability and copy/paste ability with some scripting language. Hak5's Ducky does that, but YMMV.

You should have saw me solve an issue like this but the hard drives were encrypted. Took me 10 hours of research to fix that problem.

Well yes, i could probably make something like that, but it would be even easier to just have my bootloader on usb and leave windows on ssd as it wants to be. Because currently that cursed net framework update that bricking the boot process fails to install each time it don't boot from the mess it created and starts to install itself from scract.

I could copy back all the content of old folder back to microsoft and then replace only that one file bios boots from, then it probably wouldn't brick itself but remove my bootloader each time it wants. Kind of setting windows in dominant position.

I could install windows on non bootable ssd in absence of the botable one (or just clone it there), then linux on main ssd and only then my bootloader, because i don't think grub was able to pick up windows from non bootable ssd last time i tryed that.
Windows don't care from which ssd it boots from, but i don't knowif it checks with bios which ssd is the one selected to boot from.

There is a lot of hacky ways to do it, but i hoped to find one that windows could understand.