Windows 8 supports a feature of the UEFI specification known as "Secure boot", which uses a public-key infrastructure to verify the integrity of the operating system and prevent unauthorized programs such as bootkits from infecting the device's boot process. Some pre-built devices may be described as "certified" by Microsoft; these must have secure boot enabled by default, and provide ways for users to disable or re-configure the feature. ARM-based Windows RT devices must have secure boot permanently enabled.

How does secure boot help avert boot process infections?