JackMurphy ah alright. A modern Thinkpad meets your requirements then. Something to consider however regarding Thinkpads:
"Lenovo ThinkPad
In my opinion, vPro Enterprise Thinkpad laptops security are generally acceptable for the product class. However, there is a big gotcha with their firmware: the “prevent BIOS downgrade” toggle does not actually work. This toggle only nicely asks Windows to not downgrade the firmware, but if a tool like fwupd tries to downgrade it, the firmware will allow the downgrade.
The implication of this is that if you have the UEFI update capsule enabled, a compromised OS can downgrade your firmware to a version vulnerable with something like LogoFail, and the malware can then gain persistent in the firmware. The problem can theoratically be solved if Lenovo blows Boot Guard fuses to prevent downgrade, but in reality they do it even less often than Dell.
For this reason, I recommend buying Dell Latitude/Precision over Lenovo products. If you have to use a Lenovo laptop anyways, consider disabling the UEFI capsule, and use a different, trusted computer to create a USB stick for firmware updates."
This is something I pulled from a preview article by PrivSec that has still not been posted on their main website (therefore is subject to change) but has important information nonetheless.
The article: https://deploy-preview-244--privsec-dev.netlify.app/posts/knowledge/laptop-hardware-security/