Windows 8 Boot Security FAQ
How does Windows 8 prevent attackers from replacing boot components?
All systems with the Windows 8 certification use Secure Boot (part of the UEFI specification) to protect hardware-related firmware and the operating-system loader from tampering.
Secure Boot can prevent the system from booting if unauthorized changes have been made or possibly even refresh the some boot components, such as the UEFI firmware, to a known good state.
In the case of Windows 7 certified devices, the Trusted Platform Module (TPM) can be used to measure boot code and provide similar protection to UEFI’s Secure Boot feature.
In this case the TPM will not unlock the operating-system drive if the BIOS firmware, boot order, MBR, or operating-system boot loader changes, just to name a few (unless an administrator previously authorized it from Windows or until the user provides the BitLocker recovery password).
As a result, an attacker trying to replace boot components, or change boot media to force a boot through components they control in an attempt to get the key, will fail.
Use of the TPM for boot protection is an effective capability on Windows 7 devices; however, systems equipped with UEFI and its Secure Boot will benefit from the additional security and recovery-related capabilities that UEFI offers.
What are the hardware requirements for Secure Boot?
To run Secure Boot, PCs must be equipped with UEFI version 2.3.1 firmware or greater. UEFI version 2.3.1 firmware or greater is a certification requirement for Windows 8.
What is Trusted Boot?
Trusted Boot is a Windows 8 feature that secures the entire Windows boot process. It prevents malware from hiding and taking up permanent residence within the PC by ensuring none of the Windows components loaded during boot have been tampered with.
Trusted Boot also ensures that anti-malware software is loaded before any third-party drivers and applications using its Early Launch Anti-Malware (ELAM) capability. This prevents malware from inserting itself in front of the anti-malware engine so that it can compromise the anti-malware engine’s ability to protect the system.
In the event that malware was able to successfully compromise the any of the Windows boot process, Trusted Boot will attempt to automatically remediate the issue.
What is the difference between Trusted Boot and Secure Boot?
Trusted Boot is a Windows 8 feature that can protect the Windows boot process and anti-malware solution (if properly designed and ELAM compliant) from tampering by malware. Trusted Boot specifically prevents boot-kit infections that inject themselves into the Windows boot process.
Trusted Boot does not require a Windows 8 certified device or a device that includes UEFI 2.3.1.
Trusted Boot is best able to protect the system, boot process, and antimalware solution on Windows 8 certified devices that include UEFI 2.3.1 hardware with the Secure Boot feature enabled.
Secure Boot prevents root-kit infections, which inject themselves before the Windows boot process, from starting. Secure Boot requires a Windows 8 certified device that includes UEFI 2.3.1.
https://technet.microsoft.com/en-us/windows/dn168169.aspx
