diff --git a/docs/en/setup/bootstrap-checks-xes.asciidoc b/docs/en/setup/bootstrap-checks-xes.asciidoc
new file mode 100644
index 00000000000..6d831b81ddb
--- /dev/null
+++ b/docs/en/setup/bootstrap-checks-xes.asciidoc
@@ -0,0 +1,85 @@
+[role="xpack"]
+[[bootstrap-checks-xpack]]
+== Bootstrap Checks for {xpack}
+++++
+Bootstrap Checks
+++++
+
+
+In addition to the <>, there are
+checks that are specific to {xpack} features.
+
+[float]
+=== Encrypt sensitive data check
+//See EncryptSensitiveDAtaBootstrapCheck.java
+
+If you use {watcher} and have chosen to encrypt sensitive data (by setting
+`xpack.watcher.encrypt_sensitive_data` to `true`), you must also place a key in
+the secure settings store.
+
+To pass this bootstrap check, you must set the `xpack.watcher.encryption_key`
+on each node in the cluster. For more information, see
+{xpack-ref}/encrypting-data.html[Encrypting Sensitive Data in {watcher}].
+
+[float]
+=== PKI realm check
+//See PkiRealmBootstrapCheckTests.java
+
+If you use {security} and a Public Key Infrastructure (PKI) realm, you must
+configure Transport Layer Security (TLS) on your cluster and enable client
+authentication on the network layers (either transport or http). For more
+information, see {xpack-ref}/pki-realm.html[PKI User Authentication] and
+{xpack-ref}/ssl-tls.html[Setting Up TLS on a Cluster].
+
+To pass this bootstrap check, if a PKI realm is enabled, you must configure TLS
+and enable client authentication on at least one network communication layer.
+
+[float]
+=== Role mappings check
+
+If you authenticate users with realms other than `native` or `file` realms, you
+must create role mappings. These role mappings define which roles are assigned
+to each user.
+
+If you use files to manage the role mappings, you must configure a YAML file
+and copy it to each node in the cluster. By default, role mappings are stored in
+`ES_PATH_CONF/x-pack/role_mapping.yml`. Alternatively, you can specify a
+different role mapping file for each type of realm and specify its location in
+the `elasticsearch.yml` file. For more information, see
+{xpack-ref}/mapping-roles.html#mapping-roles-file[Using Role Mapping Files].
+
+To pass this bootstrap check, the role mapping files must exist and must be
+valid. The Distinguished Names (DNs) that are listed in the role mappings files
+must also be valid.
+
+[float]
+=== SSL/TLS check
+//See TLSLicenseBootstrapCheck.java
+
+In 6.0 and later releases, if you have a gold, platinum, or enterprise license
+and {security} is enabled, you must configure SSL/TLS for
+internode-communication.
+
+NOTE: Single-node clusters that use a loopback interface do not have this
+requirement. For more information, see
+{xpack-ref}/encrypting-communications.html[Encrypting Communications].
+
+To pass this bootstrap check, you must
+{xpack-ref}/ssl-tls.html[set up SSL/TLS in your cluster].
+
+
+[float]
+=== Token SSL check
+//See TokenSSLBootstrapCheckTests.java
+
+If you use {security} and the built-in token service is enabled, you must
+configure your cluster to use SSL/TLS for the HTTP interface. HTTPS is required
+in order to use the token service.
+
+In particular, if `xpack.security.authc.token.enabled` and `http.enabled` are
+set to `true` in the `elasticsearch.yml` file, you must also set
+`xpack.security.http.ssl.enabled` to `true`. For more information about these
+settings, see <> and <>.
+
+To pass this bootstrap check, you must enable HTTPS or disable the built-in
+token service by using the {security} settings.
diff --git a/docs/en/setup/setup-xes.asciidoc b/docs/en/setup/setup-xes.asciidoc
index 3bf3eedb32a..063ded8f194 100644
--- a/docs/en/setup/setup-xes.asciidoc
+++ b/docs/en/setup/setup-xes.asciidoc
@@ -13,4 +13,5 @@ easy-to-install package. To access this functionality, you must
include::installing-xes.asciidoc[]
include::{xes-repo-dir}/settings/configuring-xes.asciidoc[]
include::setup-xclient.asciidoc[]
+include::bootstrap-checks-xes.asciidoc[]
include::{xes-repo-dir}/security/configuring-es.asciidoc[]