RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: lsass (2 articles)Clear
vulnerability
2026-04-20

Microsoft ships emergency out-of-band updates to fix Windows Server reboot loops and install failures caused by April Patch Tuesday

Microsoft has released out-of-band emergency updates to fix two Windows Server issues introduced by the April 2026 Patch Tuesday updates. First issue: some admins experienced failures installing the KB5082063 security update on Windows Server 2025. Second issue: Patch Tuesday cumulative updates caused Windows servers running domain controller roles to enter restart loops due to crashes of the Local Security Authority Subsystem Service (LSASS). The restart loop can also hit newly-set-up domain controllers or existing ones if the server processes authentication requests very early during startup. The Windows Server 2025 OOB update (KB5091157) addresses both issues. OOB updates for other supported Windows Server versions address only the domain controller restart issue. This is the third consecutive year where April Windows Server patches have caused authentication-related breakage, following similar incidents in 2024 and 2025.

microsoftwindows-serverpatch-tuesdayemergency-patchdomain-controllerlsass
Check
If you run Windows Server domain controllers and installed April Patch Tuesday updates, apply the OOB fix before your DCs enter the restart loop.
Affected
Windows Server domain controllers that installed the April 2026 Patch Tuesday updates, particularly in Privileged Access Management (PAM) environments and non-Global Catalog DC configurations. Windows Server 2025 systems that had failures installing KB5082063.
Fix
Apply the out-of-band update for your Windows Server version. For Windows Server 2025, install KB5091157, which addresses both the install failure and the DC restart loop. For other supported Server versions, install the matching OOB update from Microsoft's advisory (addresses the DC restart loop only). If you have servers already in a restart loop, boot into safe mode or recovery mode to apply the OOB update before normal startup triggers another LSASS crash. Also check for the separate BitLocker recovery key prompt issue on Windows Server 2025 after KB5082063 - keep BitLocker recovery keys accessible before patching.
defense
2026-04-17

Microsoft April patches cause reboot loops on Windows Server 2025 and 2022 domain controllers - LSASS crash breaks authentication

Microsoft has confirmed that the April 2026 cumulative updates (KB5082063 for Windows Server 2025, KB5082142 for Windows Server 2022) are causing LSASS crashes that trigger reboot loops on non-Global Catalog domain controllers in environments using Privileged Access Management (PAM). Affected DCs restart repeatedly, preventing authentication and directory services from functioning, potentially rendering the entire domain unavailable. The issue also occurs when setting up new domain controllers or on existing ones processing authentication requests early in startup. A separate bug causes the April update to fail installation entirely on some Windows Server 2025 systems with error code 0x800F0983. A third issue forces some servers into BitLocker recovery mode due to Secure Boot changes bundled in the update. This is the third consecutive year April Patch Tuesday has broken Windows Server authentication - similar LSASS/domain controller issues hit in April 2024 and April 2025.

microsoftwindows-serverdomain-controllerpatch-issueslsassreboot-loopactive-directory
Check
If you run Active Directory and use Privileged Access Management (PAM), do NOT deploy the April 2026 updates to domain controllers without Microsoft mitigation guidance.
Affected
Non-Global Catalog (non-GC) domain controllers on Windows Server 2025 (KB5082063), Windows Server 2022 (KB5082142), Server 23H2, Server 2019, and Server 2016, specifically in environments using Privileged Access Management (PAM). Consumer Windows devices are not affected.
Fix
Hold deployment of the April 2026 cumulative update on affected domain controllers. Contact Microsoft Support for Business to access the official mitigation - it can be applied both before and after the April update. Microsoft is working on a permanent fix in a future Windows update. For BitLocker recovery issues: ensure you have recovery keys accessible before patching. Non-DC member servers and workstations should still be patched on schedule to close the zero-day vulnerabilities (SharePoint CVE-2026-32201, Defender CVE-2026-33825) covered in our April 15 report.