Microsoft warns of Windows server reboot loops following April security updates

At a glance:

• April 2026 security update KB5082063 is causing LSASS crashes and reboot loops on specific Windows domain controllers.
• The issue primarily affects non-Global Catalog (non-GC) DCs in environments utilizing Privileged Access Management (PAM).
• Impacted versions include Windows Server 2016, 2019, 2022, 2025, and Windows Server 23H2.

Authentication crashes and stability risks

Microsoft has officially confirmed a critical stability issue where certain Windows domain controllers are entering continuous restart loops. The root cause has been identified as crashes within the Local Security Authority Subsystem Service (LSASS), which occurs immediately after the installation of the April 2026 security updates. This failure is particularly volatile because it strikes during the startup sequence, effectively locking administrators out of the system.

The company warned that this behavior is most prevalent when a server is tasked with processing authentication requests very early in its boot process. This can happen during the initial setup of new domain controllers or on existing production servers. Because the LSASS process is fundamental to security and identity management, its collapse prevents authentication and directory services from functioning, which can potentially render an entire organizational domain unavailable.

Scope of impact and affected systems

According to Microsoft's release health dashboard, the instability is specifically tied to the deployment of update KB5082063. The vulnerability to these reboot loops is not universal; it specifically targets non-Global Catalog (non-GC) domain controllers operating within environments that employ Privileged Access Management (PAM). Due to these specific architectural requirements, the issue is unlikely to impact personal devices or standalone workstations not managed by a corporate IT department.

The range of affected server operating systems is extensive, spanning nearly a decade of releases. The platforms currently identified as susceptible include:

• Windows Server 2025
• Windows Server 2022
• Windows Server 23H2
• Windows Server 2019
• Windows Server 2016

Mitigation and a pattern of instability

While a formal permanent fix is still under development, Microsoft has advised IT administrators to contact Microsoft Support for Business. The company indicated that specific mitigation measures are available that can be applied to stabilize systems even after the April 2026 update has already been deployed. This manual intervention is currently the only way to break the reboot cycle for affected PAM-enabled environments.

This incident is not an isolated event but part of a recurring pattern of domain controller instability following security patches. In June 2025, Microsoft had to resolve authentication problems stemming from the April 2025 updates. Similarly, in May 2024, a fix was issued for NTLM authentication failures and reboots caused by the April 2024 patches, and in March 2024, the company was forced to release emergency out-of-band (OOB) updates to stop domain controller crashes.

Additional KB5082063 complications

Beyond the reboot loops, the KB5082063 update is plagued by other technical hurdles. Microsoft is currently investigating reports that the update is failing to install entirely on a subset of Windows Server 2025 systems. This creates a precarious situation for admins who must choose between leaving systems unpatched against security threats or risking a total system crash.

Furthermore, the company issued a warning on Wednesday regarding BitLocker complications. Some Windows Server 2025 devices are unexpectedly prompting users to enter BitLocker recovery keys immediately after the deployment of the April update. This adds another layer of operational friction, requiring admins to have recovery keys readily available to avoid prolonged downtime during the patching window.