From ae3045451972d9fe90e2f132de4a24c1b72070ed Mon Sep 17 00:00:00 2001
From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit>
Date: Tue, 7 Sep 2021 16:32:59 -0700
Subject: [PATCH] Create trusted-boot.md

---
 windows/security/os-security/trusted-boot.md | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 windows/security/os-security/trusted-boot.md

diff --git a/windows/security/os-security/trusted-boot.md b/windows/security/os-security/trusted-boot.md
new file mode 100644
index 0000000000..2ab20d1e02
--- /dev/null
+++ b/windows/security/os-security/trusted-boot.md
@@ -0,0 +1,33 @@
+---
+title: Trusted Boot
+description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
+search.appverid: MET150 
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp 
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/07/2021
+ms.prod: w11
+ms.localizationpriority: medium
+ms.collection: 
+ms.custom: 
+ms.reviewer: jsuther
+f1.keywords: NOCSH  
+---
+
+# Trusted Boot
+
+This article describes Trusted Boot, a security measure built into Windows 11 to prevent malware and corrupted components from loading when a Windows 11 device is starting.
+
+## Secure Boot
+
+The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
+
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with. 
+
+## Trusted Boot
+
+Trusted Boot takes over where Secure Boot leaves off. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
+
+Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
\ No newline at end of file