Windows 11 PCs may undergo an additional restart during update installations scheduled for spring 2026. Microsoft has confirmed that the extra reboot is intentional and tied to the deployment of updated Secure Boot certificates—specifically those using the 2023 certificate authorities. This change is part of a routine security maintenance cycle, but it could catch users off guard if they’re not expecting their machine to restart more than once during a single update session.

Secure Boot is a critical firmware-level security feature that ensures only trusted operating systems and bootloaders can run when a PC starts. Certificates used to sign these components have expiration dates, and Microsoft periodically refreshes them to maintain security integrity. The 2023 certificate update replaces older root authorities that are approaching end-of-life, closing a potential gap that could be exploited by sophisticated bootkits or rootkits.

The extra restart occurs because the Secure Boot certificate database (the DB and KEK keys) must be updated within the UEFI firmware. Windows Update typically handles OS-level patches in one reboot cycle, but modifying the firmware’s certificate store requires a separate handoff to the system’s bootstrap process. After the initial update phase applies the new certificates, the PC reboots to let the UEFI consume the changes. Windows then boots normally and resumes any remaining installation tasks, often triggering a second restart to finalize the OS-level components. This sequence is seamless but adds an extra reboot that can extend update time by several minutes.

Users with BitLocker enabled may also see an additional restart prompt if the firmware change forces a recovery key validation. In standard configurations, BitLocker seals its keys using the current Secure Boot state. Altering the certificate store modifies the boot chain measurement, which can trigger a BitLocker recovery event unless Windows proactively suspends protection before the certificate apply. Updates rolled out in 2024 introduced logic to handle this gracefully, so the extra reboot should not result in a blue recovery screen—but users should still ensure they have their BitLocker recovery keys accessible as a precaution.

The Secure Boot 2023 certificates were already pushed to many devices during earlier Windows 11 feature updates and monthly quality updates. However, a broader enforcement wave is planned for spring 2026 to cover all supported hardware, including those that missed prior rollouts due to firmware compatibility lockouts or user-initiated deferrals. Microsoft’s servicing model often stages such changes over multiple months; the spring 2026 timeline aligns with the final retirement of the older 2011 Secure Boot certificates.

Affected systems include virtually all Windows 11-capable devices with Secure Boot enabled, which is the default configuration for OEM installations since Windows 8. Custom-built PCs with Secure Boot turned off (or in setup mode) will not receive the certificate updates and thus won’t experience the extra restart. However, those systems remain vulnerable to boot-time attacks that Secure Boot is designed to thwart.

IT administrators managing fleets via Windows Update for Business or other management tools can anticipate this behavior and plan maintenance windows accordingly. The extra reboot does not represent a failure; it’s a necessary step to keep the firmware certificate database current. Microsoft has published documentation on servicing stack updates that can firm- ware non-OS components, and this Secure Boot certificate update falls into that category.

Users on metered connections or those who schedule updates during off-hours might not notice the additional restart, as the process is designed to complete without user interaction once initiated. However, if a PC is in active use when the update runs, the user may see a “Getting things ready” screen twice, which could cause confusion. The update history log in Settings will show a single entry for the cumulative or monthly update, but the extra reboot is transparent to the user interface.

The 2026 rollout is not a security patch for a specific vulnerability; it’s a maintenance operation. Certificate authorities themselves are not compromised; rather, older keys become weaker over time or are simply phased out per industry best practices. The UEFI Forum and Microsoft coordinate on these lifecycle events to minimize disruption. The 2023 certificates use stronger RSA-4096 keys compared to the RSA-2048 keys in the older 2011 set, offering improved resistance to brute-force attacks.

For the average Windows 11 user, the only practical takeaway is awareness: if your PC reboots twice during an update in spring 2026, it’s working as intended. No user action is required, beyond possibly ensuring backup of BitLocker recovery keys. Enterprises that meticulously track update success rates may see a slight uptick in “restart required” counts, which can be correlated with the certificate update deployment.

Looking ahead, Microsoft will likely issue an official bulletin or advisory as the spring 2026 patch cycle approaches. Historically, similar certificate updates—such as the 2019 Secure Boot DBX update to revoke vulnerable bootloaders—were accompanied by KB articles that detailed the restart behavior. Users can expect a support document with matching build numbers and guidance for troubleshooting any unexpected post-reboot issues.

This maintenance underscores the layered defense-in-depth approach Windows employs. Secure Boot works alongside VBS, Hypervisor-protected Code Integrity (HVCI), and Windows Defender System Guard to ensure that the boot path remains tamper-proof. Keeping the certificate store fresh is a silent but vital task that helps prevent wide-scale supply chain attacks on the OS boot process.

While the extra restart is a minor inconvenience, it signals that Microsoft continues to harden the platform even for older Secure Boot roots. The shift to 2023 certificates also aligns with future hardware requirements, as upcoming Arm-based PCs and Pluton security processors will rely on these newer roots for attestation and measured boot.

Users can verify their current Secure Boot certificate version by running the PowerShell command Confirm-SecureBootUEFI or checking the System Information utility under “Secure Boot State.” If the value is “On,” the certificate update will apply when the servicing update is offered. No standalone download is necessary; it will arrive through Windows Update as a component of the monthly security or cumulative update.

In summary, spring 2026’s update cycle brings a behind-the-scenes security tune-up that may cause Windows 11 PCs to reboot more than once. It’s a normal part of OS evolution, not a bug. By understanding the why and how, users and admins can proceed with confidence.