A few months ago I wrote a post detailing how to manage the EFI lock screen, loginwindow and trigger the EFI cache. It was updated many times throughout the following days and inevitably caused some confusion.
With the release of macOS Sierra 10.12.2, Apple has made one welcome change to System Integrity Protection (SIP): you can now re-enable the feature without being booted into the Recovery partition!
While I have tried to document and piece together as much as possible here, some of the statements could be inaccurate. Until Apple posts more information about this process, take everything you read below with a grain of salt. If you choose to use the methodologies in production, I offer no warranties to the integrity of your system.
Update 4: Note about non-blurred wallpapers and extra EFI data