Secure Boot must be enabled

e8bb4b60-e081-427e-924e-e99a1aacf387

When a PC starts, it first finds the operating system boot loader. PCs without Secure Boot simply run whatever boot loader is on the PC’s hard drive and there is no way for the PC to tell whether it’s a trusted operating system or a rootkit.

https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process


stig-low-server
stig-low-desktop
compliance-desktop
compliance-server
security-server
security-desktop