Microsoft's April patch puts Windows domain controllers into reboot loops — third known issue from KB5082063

At a glance:

• April 2026 Windows Server update KB5082063 causes LSASS crashes on non‑Global Catalog domain controllers.
• The bug forces continuous reboots, breaking Active Directory authentication in Privileged Access Management (PAM) deployments.
• Microsoft confirms this as the third known issue linked to the same patch.

What happened

Microsoft’s monthly security roll‑out for Windows Server, identified as KB5082063, was released in April 2026. Shortly after deployment, a subset of enterprise domain controllers—specifically those that are not configured as Global Catalog servers—began to experience repeated crashes of the Local Security Authority Subsystem Service (LSASS). The LSASS failure forces the operating system to reboot, creating a loop that can only be broken by removing the update or performing a full system restore.

The problem is confined to domain controllers that are part of Privileged Access Management (PAM) configurations. PAM relies on tightly controlled authentication pathways, and when LSASS terminates, the entire Active Directory authentication stack becomes unavailable. Administrators report that affected servers stop responding to login attempts, Group Policy updates, and any service that depends on Kerberos tickets, effectively halting day‑to‑day operations for the impacted organizations.

Impact on enterprises

Enterprises that have rolled out the April patch across their server farms are now scrambling to identify which controllers are non‑Global Catalog members. Because the issue does not affect Global Catalog servers, many large environments still retain at least one functional authentication point, but the loss of any PAM‑enabled controller can cripple privileged workflows, such as just‑in‑time elevation and credential vaulting.

The downtime has financial implications: organizations must allocate engineering resources to isolate the faulty servers, revert the update, and validate that directory services are fully restored. In sectors with strict compliance requirements—finance, healthcare, and government—the interruption could also trigger audit flags for unavailable authentication services during the incident window.

Microsoft’s response

Microsoft acknowledged the defect on its health dashboard, labeling it as the third known issue tied to KB5082063. The company has posted a temporary workaround: administrators should pause the update via Group Policy or WSUS for non‑Global Catalog domain controllers until a corrective build is issued. Microsoft’s engineering team is reportedly working on a revised package that addresses the LSASS crash without disabling the security fixes contained in the original patch.

In parallel, Microsoft recommends that affected customers capture crash dump files and submit them through the Windows Feedback Hub to accelerate root‑cause analysis. The firm also advises a review of PAM deployment topologies to ensure that at least one Global Catalog server remains available as a fallback authentication source.

What to watch next

The next patch cycle, slated for May 2026, is expected to include a fix for the LSASS instability. Enterprises should monitor the Microsoft Security Update Guide and the Windows Server release notes for the exact build number that resolves the issue. In the meantime, IT teams are urged to test the April update in isolated lab environments before mass deployment, especially when PAM is part of the security architecture.

Stakeholders are also watching for any broader implications on Microsoft’s patch‑testing pipeline. Repeated incidents within a single month could prompt a review of the internal validation processes that precede public roll‑outs, potentially leading to more staged or phased deployments for high‑risk server roles.