April Patch Breaks Windows Domain Controllers — LSASS Crashes Trigger Reboot Loops

Microsoft has confirmed that Windows domain controllers are entering endless reboot loops after installing the April 2026 security updates. The culprit: LSASS crashes during startup that prevent authentication services from initializing.

The issue affects organizations using Privileged Access Management (PAM) on non-Global Catalog domain controllers — a configuration common in enterprise environments with tiered administrative models.

What's Happening

After installing KB5082063, affected domain controllers crash during the Local Security Authority Subsystem Service (LSASS) initialization phase. Because LSASS handles authentication, the crash prevents the system from completing startup, triggering an automatic restart — which then crashes again.

Microsoft's acknowledgment states: "After installing the April 2026 Windows security update (KB5082063) and rebooting, non-Global Catalog (non-GC) domain controllers in environments that use Privileged Access Management (PAM) might experience LSASS crashes during startup."

The loop continues until manual intervention, leaving affected domains without authentication services.

Affected Windows Server Versions

The issue impacts domain controllers running:

• Windows Server 2025
• Windows Server 2022
• Windows Server 23H2
• Windows Server 2019
• Windows Server 2016

That covers essentially every currently supported Windows Server version in enterprise deployment. The scope is broad, though the specific triggering condition — non-GC DCs with PAM enabled — limits the blast radius to organizations with more sophisticated Active Directory architectures.

Third Year Running for April DC Breakage

This isn't Microsoft's first April stumble with domain controllers. In 2024, March updates caused DC crashes requiring an emergency out-of-band fix. The following month broke NTLM authentication, corrected in May. And now 2026 continues the pattern.

For enterprise IT teams, April Patch Tuesday has become something of a holding-your-breath moment for Active Directory infrastructure. The pattern of Windows Defender zero-days disclosed last week only adds to the pressure on security teams trying to balance patching urgency against stability risks.

No Fix Available Yet

As of April 17, Microsoft is still working on a permanent resolution. The company advises affected organizations to contact Microsoft Support for Business for mitigation guidance. No specific workarounds have been publicly documented.

Options for affected organizations are limited:

1. Contact Microsoft Support for mitigation steps (the only official guidance)
2. Delay the patch on non-GC domain controllers using PAM — but this leaves security vulnerabilities unpatched
3. Promote affected DCs to Global Catalog as a potential workaround (requires careful planning)
4. Roll back KB5082063 if systems haven't been restarted (though Microsoft doesn't recommend uninstalling security updates)

The catch-22 is familiar to anyone managing enterprise Windows infrastructure: the same update that breaks DCs also patches the SharePoint zero-day that's being actively exploited. Skipping the update entirely isn't a great option either.

Impact Assessment

Organizations relying on PAM for privileged account protection are typically more security-conscious environments — government agencies, financial institutions, and enterprises with mature security programs. These are exactly the organizations least likely to skip security updates.

The timing compounds the frustration. April's Patch Tuesday addressed over 160 vulnerabilities including an actively exploited SharePoint flaw and the BlueHammer/RedSun Defender vulnerabilities. Delaying patches to avoid the DC crash means extending exposure to real threats.

Testing Recommendations

For organizations that haven't yet deployed KB5082063:

1. Inventory domain controllers using PAM configurations
2. Identify non-Global Catalog DCs that may be affected
3. Test in isolated environments before production deployment
4. Prepare rollback procedures and ensure recent backups exist
5. Monitor Microsoft's update on the known issue

The NIST NVD's recent changes to CVE enrichment mean organizations should be tracking vendor advisories more closely than ever. Microsoft's Security Update Guide and the Windows Release Health dashboard are the authoritative sources for known issues like this one.

Microsoft has not provided an estimated timeline for a fix. Given the severity of leaving domain controllers offline, an out-of-band update seems likely — but enterprise IT teams are stuck waiting in the meantime.