But... does this really enhance security that much in the real world?
Because the thing is that an unprivileged process running in Windows already cannot replace the Windows OS image with something else due to OS permissions (just like a non-root Linux user cannot just replace the kernel if the administrator did a sensible job).
And if a trojan can bypass OS permission check, then it can set itself to automatically run on boot and re-escalate every time.
Even if support for any form of autorun is dropped, it would still be possible to just infect a non-Microsoft-signed executable which the user runs very often (for instance Firefox or a game).
The only benefit I see is that installing a patch for an OS bug will be more likely to disable malware exploiting it, and while it is possible for malware to block the OS update (and make it look it was applied), this requires substantial additional work on the part of the malware author.
BTW, this assumes that Windows 8 will refuse to load any unsigned drivers, system executables, DLLs, as well as any configuration/script file capable of loading binary code, as otherwise it's totally pointless, since you just infect those instead of the UEFI image.
I have a feeling however that they will fail to actually enforce this properly.