Once a machine has been imaged with a signed image, you can verify the system hash against the hash of what was built and signed during the Trusted Build process. To perform this verification, you have two options.
This approach allows you to verify the system hash using a tool outside the system itself. vx-verifier is a modified version of vx-iso.
Power the machine down.
Insert the vx-verifier USB drive.
Power the machine on. It should auto-boot to the vx-verifier USB drive.
Navigate to the "Verify Hash" option, attaching a keyboard if necessary.
This will calculate and output the system hash of the installed image, which can be checked against the system hash recorded during the Trusted Build process.
Once you have verified the hash, you can press "enter" to reboot and remove the vx-verifier USB drive.
This approach allows you to verify the system hash from within the system. See Signed Hash Validation.