Secure Boot must be enabled on Windows 11 systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253257	WN11-00-000020	SV-253257r971547_rule		Medium

Description

Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security features in Windows 11, including virtualization-based Security and Credential Guard. If Secure Boot is turned off, these security features will not function.

STIG	Date
Microsoft Windows 11 Security Technical Implementation Guide	2024-09-12

Details

Check Text (C-56710r828853_chk)

Verify the system firmware is configured for Secure Boot.

For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, this is NA.

Run "System Information".

Under "System Summary", if "Secure Boot State" does not display "On", this is a finding.

Fix Text (F-56660r828854_fix)

Enable Secure Boot in the system firmware.