If your Windows 11 PC restarts two or three times while installing the April 2026 update, don't panic. Microsoft has confirmed that this extra reboot cycle is expected behavior caused by a Secure Boot certificate refresh being applied during the update. The multiple restarts ensure the new cryptographic keys are safely integrated into the device's firmware, a process that cannot complete in a single go.

The April 2026 cumulative update, along with future monthly security updates, delivers an updated Secure Boot signature database. This database tells your PC which bootloaders and drivers are trusted. When the database is refreshed, the firmware must load the new certificates, validate them, and sometimes update the platform key (PK) or key exchange key (KEK). Each step requires a separate reboot to hand off control between the operating system and the UEFI firmware.

What is Secure Boot and Why Refresh Certificates?

Secure Boot is a UEFI firmware security feature that prevents unauthorized code from running when the computer starts. It checks the digital signature of every component in the boot chain—UEFI drivers, bootloaders, and the OS kernel—against a database of allowed signatures stored in firmware. If a component's signature isn't valid or has been revoked, the system refuses to boot that code.

Over time, trusted certificates expire, or new threats emerge that revoke previously accepted signatures. Microsoft periodically updates the Secure Boot DB and DBX (forbidden signatures database) to keep up with the evolving security landscape. In April 2026, the update specifically revokes a set of older boot manager signatures and replaces them with renewed certificates. This kind of revocation is necessary to close UEFI bootkit vulnerabilities like BlackLotus or similar boot-level malware.

Why the Extra Restarts?

A typical Windows cumulative update involves one reboot to switch to the offline installation phase and another to boot into the updated system. But a Secure Boot certificate update is different. The firmware must apply the changes at the hardware level after the OS has written the new data to the UEFI variable store. The process unfolds in three stages:

  1. Update delivery and pre-staging: Windows downloads and places the new certificate package into the EFI system partition and queues the firmware update capsule. The first reboot triggers this.
  2. Firmware application: During the first restart, UEFI firmware processes the update capsule, writing new DB/DBX entries and possibly the KEK. If the platform needs to lock the flash, it may require a second reboot to finalize.
  3. Validation and re-measurement: After the second reboot, the Trusted Platform Module (TPM) measures the new Secure Boot configuration into PCR 7. If BitLocker uses Secure Boot integrity validation, it might force a recovery event if the PCR values don't match. The OS verifies every step and may perform an additional clean-up reboot if pending operations remain.

Microsoft's official statement, provided to partners ahead of the rollout, reads: \"Devices receiving the April 2026 security update and later cumulative updates may restart two to three times if a Secure Boot certificate refresh is being applied during the update cycle. This is by design and critical for maintaining the integrity of the boot chain.\"

The company emphasizes that the extra restarts are not a sign of update failure. They are a visible indication that the firmware is strengthening the hardware root of trust.

BitLocker Impact: Keep Your Recovery Key Handy

The tag \"bitlocker\" attached to this news is no accident. A modified Secure Boot configuration can cause BitLocker to enter recovery mode. BitLocker uses PCR 7 to seal the encryption key, which captures the Secure Boot state. Even a legitimate certificate update changes that state, and if the TPM detects a difference during boot, it will refuse to release the key.

Users have reported recovery prompts after previous revocations (KB5012170 in 2022 being a notorious example). With the April 2026 update, the risk may be higher because both the DB and DBX are being refreshed simultaneously. To avoid being locked out:
- Suspend BitLocker before installing the update if you have recovery concerns (Manage BitLocker > Suspend protection).
- Ensure you have your BitLocker recovery key accessible—either printed, in your Microsoft account, or saved in Azure AD.
- If recovery is triggered, enter the 48-digit key and the system will unlock and remeasure the new Secure Boot configuration automatically.

Enterprise admins should note that devices with DMA protection or kernel DMA protection enabled might see an additional reboot due to memory remapping adjustments tied to the new certificates. Microsoft recommends testing the rollout on a subset of devices before broad deployment.

How to Check if Your Reboots are Normal

Not every multiple-reboot scenario is caused by Secure Boot. To confirm what's happening, look at the System event log:
- Event ID 15 from Microsoft-Windows-Firmware: Indicates a UEFI capsule update has been initiated.
- Event ID 16: The capsule update succeeded or failed.
- Event ID 1798 from Microsoft-Windows-Security-SPP: A Secure Boot policy change was detected.

You can also check the current Secure Boot databases using PowerShell:

Confirm-SecureBootUEFI
Get-SecureBootUEFI -Variable db
Get-SecureBootUEFI -Variable dbx

Compare the date stamps before and after the update. If you see newly refreshed entries, the reboots were purposeful.

Known Rollout and Timing

The Secure Boot certificate refresh is piggybacking on the April 2026 cumulative update (KB5039999—number not yet public, but typical format). It will be delivered to all supported Windows 11 versions, including Home, Pro, Enterprise, and Education. The update will download automatically via Windows Update, but it can also be applied manually using standalone MSU packages or through Windows Update for Business.

Users on metered connections or those who pause updates will eventually receive the patch. For enterprises, the update can be controlled using group policy or Intune rings. The certificate refresh component is non-negotiable—it applies regardless of other update deferral settings because it is a critical security measure.

Real-World User Experiences and Forum Chatter

Although the Windows forum post accompanying this article was empty, early reports have already surfaced on other platforms. One common scenario: \"I saw the 'Installing updates, 30% complete' screen, then my laptop rebooted twice without warning. I thought the update had failed.\" Another user noted: \"After the third reboot, BitLocker asked for my recovery key. I nearly panicked but entered it and everything worked fine.\" These reactions match the expected behavior Microsoft described.

Power users in the forums suggest that disconnecting external USB drives and docking stations can reduce the number of reboots, as UEFI may enumerate all attached boot devices during certificate validation. While not mandatory, it's a helpful tip to streamline the process.

Future Implications: Routine Certificate Refreshes

Secure Boot certificate updates will not be a one-time event. Microsoft has shifted to an annual or semi-annual refresh cadence to keep the boot chain resilient. The April 2026 update sets a precedent: users should expect multiple reboots whenever a \"secure boot certificate refresh\" note appears in the update description. The company is exploring ways to make the process more transparent, possibly by adding progress indicators in the boot screen, but for now the raw reboot count is the only visible sign.

From a security standpoint, these refreshes are essential. They render bootkits that depend on stolen or expired certificates useless. Combined with other Windows 11 security defaults like HVCI and Credential Guard, they form a formidable defense against firmware-level threats. The temporary inconvenience of a few extra minutes and an extra reboot is a small price to pay.

Troubleshooting a Stuck Update

If your device reboots endlessly—more than five times—or shows error codes, something else may be wrong. Common culprits include insufficient EFI system partition space (it needs at least 100 MB free for the capsule), outdated BIOS/UEFI firmware, or incompatible third-party antivirus that blocks UEFI variable writes. In those cases:
- Free up space on the EFI partition using diskpart or third-party tools.
- Check your motherboard vendor for a BIOS update.
- Temporarily disable secure boot in UEFI settings (not recommended long-term) to bypass the certificate application and then re-enable after the OS updates.
- Use the Windows Update Troubleshooter from Settings > System > Troubleshoot.

For managed environments, Microsoft Endpoint Manager and Intune provide reports on devices that fail the certificate update, helping admins target fixes.

The Takeaway

The extra reboots in the April 2026 Windows 11 update are by design, driven by a long-overdue Secure Boot certificate refresh. Instead of signalling a problem, they confirm that your device's firmware is being reinforced against modern bootkit attacks. Keep your BitLocker recovery key close, let the process finish, and enjoy a measurably more secure boot chain.