Windows 11 KB5083631, the optional non-security preview update released on April 30, 2026 for versions 24H2 and 25H2, can trigger an additional restart on some PCs during installation. The extra reboot is intentional. It is part of the Secure Boot certificate refresh that Microsoft is rolling into recent cumulative updates ahead of the 2011 certificate expirations beginning in June 2026.
Quick answer: If your device restarts twice while installing KB5083631, the first reboot completes the cumulative update (builds 26100.8328 or 26200.8328) and the second reboot applies a new Secure Boot certificate (the Windows UEFI CA 2023 / 2023-signed Boot Manager). It is a one-time event on eligible devices and does not indicate a failed install.
Why KB5083631 may restart twice
Microsoft expanded the device-targeting data used to deliver new Secure Boot certificates with this release. Eligible systems receive the 2023 certificates only after enough successful update signals have been recorded, so the rollout is phased rather than universal. When a device qualifies during KB5083631 installation, Windows performs the Secure Boot certificate update as a separate, dedicated boot phase after the main update has finished writing files.
That sequence produces two visible restarts for a single update event. The first restart finalizes the cumulative payload. The second restart applies the Secure Boot allowed-key/certificate exchange, which must run from the boot environment to update firmware-resident keys safely. Microsoft has stated that with recent and upcoming Windows updates over the next several months, a limited number of consumer and business devices may see this one additional restart during installation.
What is being installed during the second restart
The 2011-issued Microsoft Secure Boot certificates start expiring in June 2026. To keep early-boot security protections flowing (Boot Manager updates, Secure Boot DB and revocation list updates, and mitigations for newly discovered boot-chain vulnerabilities), devices need the 2023 certificate set written into firmware and the 2023-signed Windows Boot Manager set as default.
The relevant artifacts that may be added or activated during this process are listed below.
| Component | Purpose |
|---|---|
| Microsoft Corporation KEK 2K CA 2023 | New Key Exchange Key used to authorize updates to the Secure Boot signature database. |
| Windows UEFI CA 2023 | Signs the Windows Boot Manager and other Microsoft-signed boot components. |
| Microsoft UEFI CA 2023 | Signs third-party UEFI components (for example, certain bootloaders and option ROMs). |
| 2023-signed Windows Boot Manager | The new default boot manager binary chained to the 2023 certificates. |
Devices that already received these items in earlier months will typically see only a single restart for KB5083631.
How to verify the extra restart worked
After installation completes, you can confirm the certificate state from the Windows Security app.
Step 1: Open Windows Security and select Device security. Locate the Secure boot section on that page.
Step 2: Read the status text. The healthy message reads "Secure boot is on, and all required certificate updates have been applied. No further certificate changes are needed." That confirms the 2023 certificates and 2023-signed Boot Manager are in place.
Step 3: If you prefer a direct check, open Windows PowerShell as administrator and run the following commands. Each should return True when the corresponding certificate is present.
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'Step 4: Confirm the build. Go to Settings > System > About or run winver. KB5083631 reports OS Build 26100.8328 on 24H2 and 26200.8328 on 25H2.
What to do while the PC reboots multiple times
Do not power off the machine, force a hard reset, or pull a laptop's battery during the additional reboots. Interrupting a Secure Boot certificate write can leave the firmware key store in an inconsistent state. Let the device finish its boot cycles. The full sequence typically completes within 10 to 15 minutes on modern hardware.
Also expect the "Working on updates" screen to appear more than once and the percentage indicator to reset between reboots. That behavior is normal during the certificate phase because the boot environment runs separately from the main update flow.
BitLocker recovery prompt: A separate known issue
A small set of devices may be asked for the BitLocker recovery key on the first restart after installing KB5083631. This is documented and is not the same as the extra-restart behavior. It only triggers when all of the following conditions are true at once.
| Condition | Required state |
|---|---|
| BitLocker | Enabled on the OS drive. |
| Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" | Configured with PCR7 included (or the equivalent registry key set). |
| msinfo32 > Secure Boot State PCR7 Binding | Reports as "Not Possible". |
| Secure Boot Signature Database (DB) | Contains the Windows UEFI CA 2023 certificate. |
| Active Boot Manager | Not yet the 2023-signed Windows Boot Manager. |
Microsoft notes the combination is unlikely on personal devices that are not managed by IT. When it does occur, the recovery key is requested only once, and subsequent restarts boot normally as long as the policy stays unchanged. Recovery keys for personal Microsoft accounts can be retrieved from the BitLocker recovery key page in your Microsoft account.
For managed environments, the recommended pre-install workaround is to set that policy to Not Configured, refresh policy, and rebind BitLocker:
gpupdate /force
manage-bde -protectors -disable C:
manage-bde -protectors -enable C:This updates the BitLocker bindings to use the Windows-selected default PCR profile so the upcoming Boot Manager swap does not invalidate them.
When two restarts are not normal
The certificate-driven extra reboot is a one-time event per device. If your PC continues to reboot repeatedly across multiple days after KB5083631, or cycles through "Working on updates" without ever reaching the desktop, the cause is likely unrelated to Secure Boot. Common triggers include a stalled servicing operation, a conflicting third-party driver caught by the new Windows driver policy audit, or an installation that did not complete cleanly.
In those cases, let the troubleshooting flow run from Settings > System > Troubleshoot > Other troubleshooters > Windows Update, then verify system file integrity with sfc /scannow and DISM /Online /Cleanup-Image /RestoreHealth from an elevated Command Prompt. KB5083631 is an optional preview, so its fixes will also reach devices through the May 2026 Patch Tuesday cumulative if you choose to skip the preview channel.
The short version: a second restart on KB5083631 is expected on devices that are receiving the 2023 Secure Boot certificates this month. Verify the result in Windows Security, leave the machine alone while it finishes, and audit BitLocker policy in advance if you manage a fleet that uses explicit PCR7 validation.