Microsoft Issues 7 Emergency Patches After April Update Crashes Windows Server Domain Controllers
April's cumulative update KB5082063 caused LSASS to crash in restart loops on domain controllers across Windows Server 2016–2025. Seven out-of-band patches released April 20 fix the regression.
Microsoft shipped seven emergency out-of-band patches on April 20 after its April 2026 Patch Tuesday cumulative update broke Windows Server domain controllers. The culprit: KB5082063, which caused the Local Security Authority Subsystem Service (LSASS) to crash in continuous restart loops on affected machines — taking Active Directory authentication down with it.
LSASS handles Windows authentication, password changes, and Active Directory operations. A domain controller with a crashing LSASS is not a degraded service — it’s a full outage. Organizations relying on domain controllers for login, Group Policy enforcement, and file share access were locked out until either the OOB patch was applied or KB5082063 was rolled back.
The regression affects every currently supported Windows Server version. Here are the out-of-band KB numbers to deploy:
- Windows Server 2025 → KB5091157
- Windows Server 2022 → KB5091575
- Windows Server 23H2 → KB5091571
- Windows Server 2019 → KB5091573
- Windows Server 2016 → KB5091572
- Azure Datacenter editions → KB5091470 and KB5091576
This is a stability regression, not a security vulnerability. No CVEs or CVSS scores have been assigned. The out-of-band release bypasses the normal monthly cadence because a crashing domain controller warrants immediate response — Microsoft doesn’t wait for next Patch Tuesday when Active Directory is down.
The OOB patches are available via Windows Update (WSUS / WUfB), the Microsoft Update Catalog, or direct KB download from the Support site. Organizations with rapid Windows Update rollout schedules will likely have already hit the issue. Those with deferred update rings of 7 days or more may not have deployed KB5082063 yet — pausing that deployment prevents the crash entirely.
Admins who can’t immediately apply the OOB patches have one alternative: roll back KB5082063 using DISM or the Server Manager uninstall feature. This restores the March cumulative baseline but removes the security fixes from April’s Patch Tuesday, which addressed two actively exploited zero-days (a SharePoint critical and an IKEv2 RCE scoring CVSS 9.8). The OOB patches are the right path. The rollback is a last resort.
The blast radius of a crashing LSASS extends well beyond the domain controller itself. Exchange Server, SharePoint, VDI environments, and any remote access solution that authenticates against Active Directory becomes unavailable. A single domain controller in a restart loop can cascade across an entire organization’s Windows-dependent services.
April’s Patch Tuesday was already the largest of the year, fixing 167 vulnerabilities. The LSASS regression suggests the cumulative update was insufficiently tested against domain controller configurations before release — an environment that Microsoft’s own global infrastructure runs on.
The fix is straightforward: deploy the OOB patches listed above immediately. If change management processes block same-day deployment, roll back KB5082063 and schedule the OOB patch for the next available window. Don’t leave domain controllers in a crash loop while waiting for a change advisory board meeting.