posting an update that it worked in the end. (somehow the VM i created as test used another SCSI adaptor and it didn’t play well)
The settings that are default for a Win10 x64 still needed secure boot to be turned off.
For those who might venture, here’s my settings for my clients.
c6256d12-e5ba-4d91-b883-b1e54550e56a-image.png
ed58e765-7d34-451a-a128-f5a13a30a316-image.png
Time for some NAC + Jumpcloud + Chocolatey fun