Secure Boot & measured boot
How firmware and boot policy establish trust before Windows starts.
Official Microsoft docs
Closest official references related to this topic on Microsoft Learn.
Why it matters
Secure Boot reduces bootkit risk. Measured boot feeds attestation and BitLocker-style trust decisions.
Mental model
Each boot stage verifies the next before execution. Policy is stored in UEFI variables and boot configuration.
How it works
- 1UEFI Secure Boot checks signatures on boot loaders and boot-critical drivers.
- 2Windows boot components extend the chain of trust into the OS.
- 3TPM PCRs can record measurements for later attestation.
Key terms
- Secure Boot
- Firmware policy that allows only signed boot software.
- TPM PCR
- Platform Configuration Register storing boot measurements.
A driver fails to load on Secure Boot systems
Unsigned or untrusted boot-start drivers may be blocked before the kernel finishes initialization.
Common misconception
Secure Boot is not disk encryption. It validates early boot software; BitLocker protects data at rest.
You should read next
Ranked from your current topic, related links, branch depth, and any active guided path.
intermediate
Boot loader to kernel handoff
The transition from firmware and boot manager into Windows kernel initialization.
Related topic
intermediate
HAL & boot
Hardware abstraction and the path from firmware to the running kernel.
Related topic
beginner
Security
Access tokens, privileges, integrity, and how Windows decides who can do what.
Related topic