Which feature prevents unwanted processes from executing during the boot operation?

Secure Boot ensures only trusted, signed code runs during the boot process. When the system starts, the UEFI firmware checks each boot component—such as the bootloader and OS kernel—against a whitelist of trusted signatures stored in the firmware. If a component isn’t signed with a trusted key or has been tampered with, it’s blocked from executing, preventing unwanted processes from starting at boot. This directly satisfies the requirement to stop unapproved code from running during startup. For context, Trusted Boot/Measured Boot relate to collecting boot measurements for attestation, which helps detect tampering but doesn’t by itself block execution; Self-Encrypting Drive protects data at rest, and UEBA focuses on user behavior rather than boot integrity.