Windows OS: Secure Boot must be enabled

e8bb4b60-e081-427e-924e-e99a1aacf387

When a PC starts, it first finds the operating system boot loader. PCs without Secure Boot simply run whatever boot loader is on the PC’s hard drive and there is no way for the PC to tell whether it’s a trusted operating system or a rootkit.

https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process

Remediation

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/secure-boot-isnt-configured-correctly-troubleshooting

Stig Server: https://www.stigviewer.com/stig/windows_server_2016/2019-01-16/finding/V-90355
Stig Desktop: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-77085

stig-low-server

stig-low-desktop

compliance-desktop

compliance-server

security-server

security-desktop

Knowledge Base
Documentation
Tutorials
Screencasts
Validation Scripts
Support Center