Encryption

How to protect a computer with constant uptime (upd)?

Hello. If a feeling of deja vu begins to visit you, it’s not for nothing, I already asked this question , however, I didn’t sit still and looked for options, and even found it, but there are still a few but ...
In short, the essence of the past question is as follows, there is computer is always on. There is no access to it (it is far away), theoretically they can come after it and copy commercial information. The goal is to defend against this type of attack. The computer is a regular PC on Windows 10, auto-login is configured, without additional equipment, decryption should occur automatically, even during reboots and other conditions (for example, the light went out, the bios is set to power on, the light appeared, the PC went to start).
In the last topic, the answer was essentially given - BitLocker Network Unlock, however, it is only suitable for a server OS and, judging by what I understand, it works with a domain over a local network. The option is not suitable. my PC is single.
The answer was essentially on the surface, in windows there is standard encryption (EFS) (right-click on the folder-properties-attributes-others-encrypt contents to protect data), while a certificate is created on the PC with which it is possible to decrypt these files on the fly, if the same, for example, connect this hard drive to another PC and copy the files - they will be encrypted (and if you copy them to a USB flash drive even with the OS turned on, they will be copied in encrypted form). However, with all the charms, there are obvious BUT:
1. Nothing prevents the same way that the file is encrypted - decrypt it by simply removing the "tick" in the settings. Are there options for this interaction to require an administrator password? (not UAC, but the password)
2. Is it possible to protect the certificate from import? Again, require an administrator password or certificate.
3. With this type of encryption, is it possible to encrypt file names? At the moment it looks like "file.doc.[EFS extension]" (I've tried looking for similar items in security policies - no luck)
4. Is it even possible to boot Windows but still show the login form? Those. the OS starts, autoloads, the necessary software starts (for example, a web server), but for the observer, all that is visible is the authorization form, after entering the password, you can work with Windows (the implementation of this direction is the most interesting, because it automatically protects against 1 and 2 points). All I found is to add a script to the autoload, or a script to the profile, or add a script to the task scheduler - when you enter, execute "user32.dll, LockWorkStation". But this option is just ridiculous, because you can simply go into safe mode and all this will not be done. Yes, and without this item, in fact, everything is meaningless, because. in fully decrypted Windows, it is not difficult to read all files, even without copying, if this item is implemented and even,
In general, I'm waiting for your thoughts, maybe I missed something?