RSS
← All articles
vulnerability
2026-04-20

Microsoft ships emergency out-of-band updates to fix Windows Server reboot loops and install failures caused by April Patch Tuesday

Microsoft has released out-of-band emergency updates to fix two Windows Server issues introduced by the April 2026 Patch Tuesday updates. First issue: some admins experienced failures installing the KB5082063 security update on Windows Server 2025. Second issue: Patch Tuesday cumulative updates caused Windows servers running domain controller roles to enter restart loops due to crashes of the Local Security Authority Subsystem Service (LSASS). The restart loop can also hit newly-set-up domain controllers or existing ones if the server processes authentication requests very early during startup. The Windows Server 2025 OOB update (KB5091157) addresses both issues. OOB updates for other supported Windows Server versions address only the domain controller restart issue. This is the third consecutive year where April Windows Server patches have caused authentication-related breakage, following similar incidents in 2024 and 2025.

microsoftwindows-serverpatch-tuesdayemergency-patchdomain-controllerlsass
Check
If you run Windows Server domain controllers and installed April Patch Tuesday updates, apply the OOB fix before your DCs enter the restart loop.
Affected
Windows Server domain controllers that installed the April 2026 Patch Tuesday updates, particularly in Privileged Access Management (PAM) environments and non-Global Catalog DC configurations. Windows Server 2025 systems that had failures installing KB5082063.
Fix
Apply the out-of-band update for your Windows Server version. For Windows Server 2025, install KB5091157, which addresses both the install failure and the DC restart loop. For other supported Server versions, install the matching OOB update from Microsoft's advisory (addresses the DC restart loop only). If you have servers already in a restart loop, boot into safe mode or recovery mode to apply the OOB update before normal startup triggers another LSASS crash. Also check for the separate BitLocker recovery key prompt issue on Windows Server 2025 after KB5082063 - keep BitLocker recovery keys accessible before patching.
Related Articles
vulnerabilityUnpatched Windows BitLocker bypass and SYSTEM elevation PoCs dropped on GitHub by a disgruntled researcher - YellowKey and GreenPlasma hit Windows 11 and Server 2022/2025
vulnerabilityMicrosoft's May 2026 Patch Tuesday fixes 120 flaws and no zero-days for the first time since June 2024 - but a Word preview-pane bug and DNS Client RCE stand out as the priorities
vulnerabilityCritical MOVEit Automation flaw lets attackers take over file-transfer servers without logging in - Cl0p hit MOVEit's sister product in 2023 and stole data from 62 million people (CVE-2026-4670)