Microsoft has released out-of-band emergency updates to fix two Windows Server issues introduced by the April 2026 Patch Tuesday updates. First issue: some admins experienced failures installing the KB5082063 security update on Windows Server 2025. Second issue: Patch Tuesday cumulative updates caused Windows servers running domain controller roles to enter restart loops due to crashes of the Local Security Authority Subsystem Service (LSASS). The restart loop can also hit newly-set-up domain controllers or existing ones if the server processes authentication requests very early during startup. The Windows Server 2025 OOB update (KB5091157) addresses both issues. OOB updates for other supported Windows Server versions address only the domain controller restart issue. This is the third consecutive year where April Windows Server patches have caused authentication-related breakage, following similar incidents in 2024 and 2025.
Microsoft has confirmed that the April 2026 cumulative updates (KB5082063 for Windows Server 2025, KB5082142 for Windows Server 2022) are causing LSASS crashes that trigger reboot loops on non-Global Catalog domain controllers in environments using Privileged Access Management (PAM). Affected DCs restart repeatedly, preventing authentication and directory services from functioning, potentially rendering the entire domain unavailable. The issue also occurs when setting up new domain controllers or on existing ones processing authentication requests early in startup. A separate bug causes the April update to fail installation entirely on some Windows Server 2025 systems with error code 0x800F0983. A third issue forces some servers into BitLocker recovery mode due to Secure Boot changes bundled in the update. This is the third consecutive year April Patch Tuesday has broken Windows Server authentication - similar LSASS/domain controller issues hit in April 2024 and April 2025.
TrustStrike Labs