You can absolutely do this but it is a lot of work and will require a very
high level of expertise.
1.) You will need to create a signed ELAM driver
]. You can put your workstation in Test Mode
] and generate a self-signed EKU certificate.
2.) You will need to create a system service that runs as a protected service
3.) From the protected system service you may launch child processes which will run as a protected process. Note that protected processes cannot have any GUI threads.
All of the DLL's and executables involved need to be signed by the same certificate. You will need to generate special certificates with the 188.8.131.52.184.108.40.206.3 (codesigning) and 220.127.116.11.4.1.318.104.22.168 (early-launch) EKUs.
Something like this:
makecert.exe -a SHA256 -r -pe -ss YourCertStore -n "CN=YourTestElam" -eku 22.214.171.124.4.1.3126.96.36.199,188.8.131.52.184.108.40.206.3 -sr localmachine YourTestElam.cer
Good luck. There are a lot of missing steps in this brief summary.