Why, what need you to use secure-boot to protect?
No.
You can’t just enable Secure Boot and have a bootable Manjaro. There’s no easy way to have both Windows and Manjaro working with Secure Boot enabled. That being said, there is a difficult and long way to do it though.
But there is no red lock sign on Windows 11 for me if Secure Boot was off for a long time in my Desktop PC.
I know Windows 11 only needs TPM 2.0 chip.
I suspect that Windows key was already preinstalled in Secure Boot in your device, that is why the red lock sign appears when Secure Boot is turned off with the existing key.
Maybe delete this Window key in Secure Boot, then no more red sign, but better not try (it can break Windows 11)
Interesting. Does this red stripe and lock thingie show up when you boot Manjaro? Or only when booting Windows? If the latter then sorry there’s no place for discussing Windows-specific issues on Manjaro forum.
But if the former then it is most likely provided by UEFI firmware.
I’m currently writing a comprehensive tutorial on enabling Secure Boot and making use of TPM to unlock encrypted system partition on boot to provide BitLocker-like experience in Manjaro, but it is going to be huge and probably make you suffer even more since it involves a lot of manual fiddling with configs and other error-prone shenanigans so you’ll have to choose between unfortunate absence of deed and dangerous actions that, in event of mistake, may result in extra hour(s) of recovery. I’m wicked and I know it 
1 Like
You should probably contact the manufacturer to “fix” their firmware 
Most likely Micro$oft will tell you that’s it’s purse blasphemy to disable SB and install linux on it though
protect the boot chain. Works fantastic in Windows, kills off unverified drivers, any tampering triggers Bitlocker recovery. Secure boot is 100% needed for work environment. Work computer at home must be on par with pro workstation where SB saturation is close to 100% (for both Windows and Linux). And with covid, SB is needed even more than ever before.
I had Manjaro, and I had to turn off SB temporarily each time, and later type Bitlocker recovery key each time. Got tired of it, really.
here’s the list (ommits major ubuntu derivatives) :
https://distrowatch.com/search.php?pkg=shim&relation=lessequal&pkgver=1&distrorange=InAny
You can see the top 5 installed on the pro workstations.
1 Like
Why? I mean what COVID has to do with Secure Boot?
Shim alone is not enough. It cannot protect from booting with initrd and/or cmdline that has been tampered with. Without unified signed kernel + encryption the entire Secure Boot effort provided by major Linux distributions is a joke with regard to security. Now it only serves one purpose actually: it allows users boot their Linux OS without turning SB off in UEFI settings. This is exaggeration but it is still more or less the reality.
What is your computer?
That is not Windows 11’s fault, I use Win11 on my Thinkpad too. It is the Surface UEFI’s fault. So if you do not use Surface (as I am now), you may not see this sign.
It show up before you choose in grub between Windows and Manjaro.
Ah then it is clearly a UEFI firmware thing.
Edit your BIOS then 
It is my custom Desktop PC that I built myself.
I see, Surface is Micro$oft itself. It wants to force you to enable Secure Boot without red bar. 