diff --git a/e2e/scenario_win_test.go b/e2e/scenario_win_test.go
index 2ece49b1c7b..0bc8e178bad 100644
--- a/e2e/scenario_win_test.go
+++ b/e2e/scenario_win_test.go
@@ -440,6 +440,31 @@ func Test_Windows2022_VHDCaching(t *testing.T) {
 	})
 }
 
+// Test_Windows2022_VHDCaching_LegacyTLSBootstrap exercises Windows PIS /
+// VHD-cached provisioning with secure TLS bootstrap disabled, forcing kubelet
+// to use the legacy bootstrap-token path. Catches regressions in the two-stage
+// CSE flow that only surface when no secure-tls-bootstrap client is around to
+// overwrite the temporary kubeconfig.
+func Test_Windows2022_VHDCaching_LegacyTLSBootstrap(t *testing.T) {
+	RunScenario(t, &Scenario{
+		Description: "VHD Caching with secure TLS bootstrap disabled",
+		Config: Config{
+			Cluster:    ClusterAzureNetwork,
+			VHD:        config.VHDWindows2022Containerd,
+			VHDCaching: true,
+			VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
+				vmss.SKU.Capacity = to.Ptr[int64](2)
+			},
+			BootstrapConfigMutator: func(_ *Cluster, nbc *datamodel.NodeBootstrappingConfiguration) {
+				if nbc.SecureTLSBootstrappingConfig == nil {
+					nbc.SecureTLSBootstrappingConfig = &datamodel.SecureTLSBootstrappingConfig{}
+				}
+				nbc.SecureTLSBootstrappingConfig.Enabled = false
+			},
+		},
+	})
+}
+
 func Test_Windows2022Gen2_k8s_133(t *testing.T) {
 	RunScenario(t, &Scenario{
 		Description: "Windows Server 2022 with Containerd 2- hyperv gen 2",
diff --git a/parts/windows/kuberneteswindowssetup.ps1 b/parts/windows/kuberneteswindowssetup.ps1
index ba392f1f7a2..86590db76b7 100644
--- a/parts/windows/kuberneteswindowssetup.ps1
+++ b/parts/windows/kuberneteswindowssetup.ps1
@@ -485,7 +485,6 @@ function BasePrep {
     PREPROVISION_EXTENSION
     Adjust-DynamicPortRange
     Register-LogsCleanupScriptTask
-    Register-NodeResetScriptTask
 
     Update-DefenderPreferences
 
@@ -579,6 +578,11 @@ function NodePrep {
         Remove-Item $kubeConfigFile
     }
 
+    # Register AFTER temp kubeconfig removal: the -AtStartup trigger would
+    # otherwise race PIS-baked VHD first boot and bring kubelet up with the
+    # embedded "nodeclient" cert instead of doing TLS bootstrap.
+    Register-NodeResetScriptTask
+
     Start-InstallGPUDriver -EnableInstall $global:ConfigGPUDriverIfNeeded -GpuDriverURL $global:GpuDriverURL
 
     if (Test-Path $CacheDir)