What Is Measured Boot?
Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Measured Boot is a security feature that records each stage of system startup so a device can later prove what loaded during boot. Instead of only trying to block untrusted components, measured boot creates cryptographic evidence of the boot chain, helping security teams detect tampering in firmware, bootloaders, and early operating system components.
It is commonly used with a TPM and device attestation workflows to support endpoint trust.
Measured Boot definition
Measured Boot is a platform security capability that takes integrity measurements during startup and stores them in a tamper-evident way. Those measurements can later be checked to determine whether the system booted in an expected, trusted state.
In practical terms, measured boot helps answer a simple question: Did this device start the way it was supposed to?
How Measured Boot works
Measured Boot follows the startup sequence and records what happens along the way.
Startup components are measured in order
As the system powers on, each boot stage measures the next component before passing control to it. Depending on platform and design, this may include:
- firmware
- boot manager or bootloader
- early drivers
- operating system loader
- kernel or hypervisor components
- security-critical startup files
A measurement usually means creating a cryptographic hash of the component, not storing the entire file.
Measurements are stored securely
These hashes are commonly extended into TPM Platform Configuration Registers (PCRs). This matters because the values are not simply replaced. They are updated in a chained, tamper-evident way that reflects the boot sequence.
That gives defenders two key benefits:
- they can compare the startup state against a known-good baseline
- they can detect that something in the boot chain changed
The system can provide attestation evidence
Once the device is running, management or security tools can use the recorded measurements for attestation. That means the system can present evidence about its startup state to another service, such as:
- an endpoint management platform
- a zero trust policy engine
- a conditional access system
- an incident response workflow
If the measured values differ from what is expected, the device may be flagged as risky or denied access to sensitive resources.
Measurements are compared to a trusted baseline
Raw measurements are only useful if someone knows what good looks like. In practice, defenders compare them to:
- approved device baselines
- expected firmware and bootloader states
- known-good builds
- platform trust policies
This is what turns measured boot from a low-level platform feature into an operational security control.
Measured Boot vs. Secure Boot
Measured Boot and Secure Boot are related, but they are not the same.
Secure Boot
Secure Boot is mainly a preventive control. It is designed to allow only trusted, signed components to run during startup.
Measured Boot
Measured Boot is mainly a detective and attestable control. It records what actually ran so that boot integrity can be verified later.
Many organizations use both together. If you want a broader view of how trust is enforced after startup as well, see what is zero trust.
Why Measured Boot matters
Measured Boot matters because attacks do not always begin after login. Adversaries may target:
- firmware
- bootloaders
- early launch components
- kernel startup paths
- virtualization layers
If the device is compromised early in the boot process, many normal security tools start from an already untrusted foundation. Measured boot helps detect that kind of problem and provides evidence that can feed device trust decisions.
This is especially important in environments where endpoint trust affects access to business apps, admin tools, or sensitive data.
When organizations use Measured Boot
You will usually encounter measured boot in environments where device integrity matters more than basic malware detection alone.
Endpoint hardening programs
Measured Boot is often part of modern endpoint security baselines for laptops, workstations, and servers that need stronger startup assurance.
Zero trust and device trust policies
Organizations using device health in access decisions may rely on measured boot evidence directly or indirectly. A device that fails integrity checks may be restricted from reaching high-value resources.
Firmware and boot-chain threat reviews
Measured boot often comes up in discussions about bootkits, rootkits, and firmware tampering because it helps reveal changes that happen before the operating system is fully loaded.
Incident response
Responders may review boot measurements or attestation failures when investigating persistence, suspicious startup behavior, or high-trust system compromise. For related investigative concepts, read what is memory forensics.
Limits of Measured Boot
Measured Boot is useful, but it does not solve every platform security problem.
It does not automatically mean:
- the entire device is secure
- all malicious changes will be blocked
- attestation is configured correctly
- the operating system and apps are free of compromise
- higher-level security controls are unnecessary
It is best understood as one layer in a larger trust model that includes secure configuration, patching, access control, and monitoring.
For general endpoint protection on personal or small-business systems, a tool like Get Malwarebytes → can help reduce malware risk, but it serves a different purpose than platform integrity features like measured boot.
Final takeaway
Measured Boot records and preserves evidence about what happened during system startup. That makes it valuable for verifying boot integrity, detecting tampering, and supporting device trust decisions in modern security programs.
If your organization depends on trusted endpoints, hardware-backed attestation, or stronger protection against low-level persistence, measured boot is one of the core platform security features to understand.