{
	"id": "c70225ae-b94b-4c94-b943-694de32cae00",
	"created_at": "2026-04-06T00:21:16.078669Z",
	"updated_at": "2026-04-10T03:20:35.79297Z",
	"deleted_at": null,
	"sha1_hash": "e2843e1cc3b6179c19a64edc8b273053593f308d",
	"title": "Secure the Windows boot process",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66470,
	"plain_text": "Secure the Windows boot process\r\nBy officedocspr5\r\nArchived: 2026-04-05 16:19:36 UTC\r\nWindows has many features to help protect you from malware, and it does an amazingly good job. Except for apps\r\nthat businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be\r\ncertified and included in the Microsoft Store. This certification process examines several criteria, including\r\nsecurity, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious\r\napp does get through, Windows includes a series of security features that can mitigate the effect. For instance,\r\nMicrosoft Store apps are sandboxed and lack the privileges necessary to access user data or change system\r\nsettings.\r\nWindows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses\r\ncloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows\r\nDefender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as\r\nmalware. Before an app can change system settings, the user would have to grant the app administrative privileges\r\nby using User Account Control.\r\nThose components are just some of the ways that Windows protects you from malware. However, those security\r\nfeatures protect you only after Windows starts. Modern malware, and bootkits specifically, are capable of starting\r\nbefore Windows, completely bypassing OS security, and remaining hidden.\r\nRunning Windows 10 or Windows 11 on a PC with Unified Extensible Firmware Interface (UEFI) support ensures\r\nthat Trusted Boot safeguards your PC against malware right from the moment you power it on. This protection\r\ncontinues until your anti-malware software takes over. If, by any chance, malware manages to infect your PC, it\r\nwon't be able to stay hidden. Trusted Boot can verify the system's integrity to your infrastructure in a manner that\r\nmalware can't mask. Even for PCs without UEFI, Windows offers enhanced startup security compared to earlier\r\nWindows versions.\r\nTo begin, let's take a closer look at rootkits and their functioning. Following that, we'll illustrate how Windows can\r\nensure your protection.\r\nThe threat: rootkits\r\nRootkits are a sophisticated and dangerous type of malware. They run in kernel mode, using the same privileges as\r\nthe OS. Because rootkits have the same rights as the OS and start before it, they can completely hide themselves\r\nand other applications. Often, rootkits are part of an entire suite of malware that can bypass local logins, record\r\npasswords and keystrokes, transfer private files, and capture cryptographic data.\r\nDifferent types of rootkits load during different phases of the startup process:\r\nhttps://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process\r\nPage 1 of 5\n\nFirmware rootkits. These kits overwrite the firmware of the PC's basic input/output system or other\r\nhardware so the rootkit can start before Windows.\r\nBootkits. These kits replace the OS's bootloader (the small piece of software that starts the OS) so that the\r\nPC loads the bootkit before the OS.\r\nKernel rootkits. These kits replace a portion of the OS kernel so the rootkit can start automatically when\r\nthe OS loads.\r\nDriver rootkits. These kits pretend to be one of the trusted drivers that Windows uses to communicate\r\nwith the PC hardware.\r\nThe countermeasures\r\nWindows supports four features to help prevent rootkits and bootkits from loading during the startup process:\r\nSecure Boot. PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load\r\nonly trusted OS bootloaders.\r\nTrusted Boot. Windows checks the integrity of every component of the startup process before loading it.\r\nEarly Launch Anti-Malware (ELAM). ELAM tests all drivers before they load and prevents unapproved\r\ndrivers from loading.\r\nMeasured Boot. The PC's firmware logs the boot process, and Windows can send it to a trusted server that\r\ncan objectively assess the PC's health.\r\nFigure 1 shows the Windows startup process.\r\nScreenshot that shows the Windows startup process.\r\nFigure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage:\r\nSecure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all\r\nWindows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these\r\ncomponents, and many PCs designed for earlier versions of Windows have them as well.\r\nThe sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot.\r\nSecure Boot\r\nWhen a PC starts, it first finds the OS bootloader. PCs without Secure Boot run whatever bootloader is on the PC's\r\nhard drive. There's no way for the PC to tell whether it's a trusted OS or a rootkit.\r\nWhen a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk\r\nof firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader's digital signature to verify\r\nthat it hasn't been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the\r\nfollowing conditions is true:\r\nThe bootloader was signed using a trusted certificate. For PCs certified for Windows, the Microsoft\r\ncertificate is trusted.\r\nhttps://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process\r\nPage 2 of 5\n\nThe user has manually approved the bootloader's digital signature. This action allows the user to load\r\nnon-Microsoft operating systems.\r\nAll x86-based Certified For Windows PCs must meet several requirements related to Secure Boot:\r\nThey must have Secure Boot enabled by default.\r\nThey must trust Microsoft's certificate (and thus any bootloader Microsoft has signed).\r\nThey must allow the user to configure Secure Boot to trust other bootloaders.\r\nThey must allow the user to completely disable Secure Boot.\r\nThese requirements help protect you from rootkits while allowing you to run any OS you want. You have three\r\noptions for running non-Microsoft operating systems:\r\nUse an OS with a certified bootloader. Because all Certified For Windows PCs must trust Microsoft's\r\ncertificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be\r\ntrusted by all Certified For Windows PCs. In fact, an open source bootloader capable of loading Linux is\r\nalready available. To begin the process of obtaining a certificate, go to\r\nhttps://partner.microsoft.com/dashboard.\r\nConfigure UEFI to trust your custom bootloader. All Certified For Windows PCs allow you to trust a\r\nnon-certified bootloader by adding a signature to the UEFI database, allowing you to run any OS, including\r\nhomemade operating systems.\r\nTurn off Secure Boot. All Certified For Windows PCs allow you to turn off Secure Boot so that you can\r\nrun any software. This action doesn't help protect you from bootkits, however.\r\nTo prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a\r\nnon-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings.\r\nThe default state of Secure Boot has a wide circle of trust, which can result in customers trusting boot components\r\nthey may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux\r\ndistributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack\r\nsurface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all\r\ndistributions - more than their desired configuration. A vulnerability in any of the bootloaders exposes the system\r\nand places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent\r\nvulnerabilities, for example with the GRUB bootloader or firmware-level rootkit affecting boot components.\r\nSecured-core PCs require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA\r\nsignature, by default, to provide customers with the most secure configuration of their PCs possible.\r\nTo trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs\r\ncan be configured in the BIOS menu to add the signature in the UEFI database by following these steps:\r\n1. Open the firmware menu, either:\r\nBoot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete,\r\nF1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During\r\nstartup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too\r\nfast to see it, check your manufacturer's site.\r\nhttps://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process\r\nPage 3 of 5\n\nOr, if Windows is already installed, from either the Sign on screen or the Start menu, select Power (\r\n) \u003e hold Shift while selecting Restart. Select Troubleshoot \u003e Advanced options \u003e UEFI Firmware\r\nsettings.\r\n2. From the firmware menu, navigate to Security \u003e Secure Boot and select the option to trust the \"3rd Party\r\nCA\".\r\n3. Save changes and exit.\r\nMicrosoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to\r\nhelp you stay secure and opt-in trust for only the publishers and components you trust.\r\nLike most mobile devices, Arm-based devices, such as the Microsoft Surface RT device, are designed to run only\r\nWindows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a\r\nlarge market of ARM processor devices designed to run other operating systems.\r\nTrusted Boot\r\nTrusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows\r\nkernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup\r\nprocess, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the\r\nproblem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted\r\ncomponent, restoring the integrity of Windows and allowing the PC to start normally.\r\nEarly Launch anti-malware\r\nBecause Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next\r\nopportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps don't\r\nstart until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.\r\nEarly Launch anti-malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted\r\nBoot. Because the OS hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a\r\nsimple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted,\r\nWindows doesn't load it.\r\nAn ELAM driver isn't a full-featured anti-malware solution; that loads later in the boot process. Windows\r\nDefender (included with Windows) supports ELAM, as does several non-Microsoft anti-malware apps.\r\nMeasured Boot\r\nIf a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesn't work with rootkits that hide\r\ntheir presence. In other words, you can't trust the client to tell you whether it's healthy.\r\nAs a result, PCs infected with rootkits appear to be healthy, even with anti-malware running. Infected PCs\r\ncontinue to connect to the enterprise network, giving the rootkit access to vast amounts of confidential data and\r\nhttps://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process\r\nPage 4 of 5\n\npotentially allowing the rootkit to spread across the internal network.\r\nMeasured Boot works with the TPM and non-Microsoft software in Windows. It allows a trusted server on the\r\nnetwork to verify the integrity of the Windows startup process. Measured Boot uses the following process:\r\n1. The PC's UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and\r\neverything that is loaded before the anti-malware app.\r\n2. At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted\r\nattestation server sends the client a unique key.\r\n3. The TPM uses the unique key to digitally sign the log recorded by the UEFI.\r\n4. The client sends the log to the server, possibly with other security information.\r\nDepending on the implementation and configuration, the server can now determine whether the client is healthy. It\r\ncan grant the client access to either a limited quarantine network or to the full network.\r\nFigure 2 illustrates the Measured Boot and remote attestation process.\r\nScreenshot that shows the Measured Boot and remote attestation process.\r\nFigure 2. Measured Boot proves the PC's health to a remote server:\r\nWindows includes the application programming interfaces to support Measured Boot. However, to take advantage\r\nof it, you need non-Microsoft tools to implement a remote attestation client and trusted attestation server. For\r\nexample, see the following tools from Microsoft Research:\r\nTPM Platform Crypto-Provider Toolkit\r\nTSS.MSR\r\nMeasured Boot uses the power of UEFI, TPM, and Windows to give you a way to confidently assess the\r\ntrustworthiness of a client PC across the network.\r\nSummary\r\nSecure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits\r\nand rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network.\r\nWith Windows, you can trust the integrity of your OS.\r\nSource: https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process\r\nhttps://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process"
	],
	"report_names": [
		"secure-the-windows-10-boot-process"
	],
	"threat_actors": [],
	"ts_created_at": 1775434876,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2843e1cc3b6179c19a64edc8b273053593f308d.pdf",
		"text": "https://archive.orkl.eu/e2843e1cc3b6179c19a64edc8b273053593f308d.txt",
		"img": "https://archive.orkl.eu/e2843e1cc3b6179c19a64edc8b273053593f308d.jpg"
	}
}