Microsoft confirms that Windows domain controllers are experiencing restart loops after installing April 2026 security updates, affecting systems using Privileged Access Management (PAM).
Microsoft has confirmed that some Windows domain controllers are entering restart loops due to Local Security Authority Subsystem Service (LSASS) crashes after installing the April 2026 security updates. The company also warned that Windows admins may encounter this issue when setting up new domain controllers, or even on existing ones, if the server processes authentication requests very early in the startup process.
"After installing the April 2026 Windows security update (KB5082063) and rebooting, non-Global Catalog (non-GC) domain controllers (DCs) in environments that use Privileged Access Management (PAM), might experience LSASS crashes during startup," Microsoft said in a release health dashboard update. "As a result, affected DCs may restart repeatedly, preventing authentication and directory services from functioning, and potentially rendering the domain unavailable."
This known issue only impacts organizations using Privileged Access Management (PAM) and is unlikely to affect personal devices that aren't managed by an IT department. The list of affected platforms includes systems running Windows Server 2025, Windows Server 2022, Windows Server 23H2, Windows Server 2019, and Windows Server 2016.
While Microsoft is still working on a fix, it advised IT administrators to contact Microsoft Support for Business for mitigation measures that can be applied even after deploying the April 2026 update.
Microsoft has addressed multiple domain controller issues caused by security updates in recent years, most recently resolving Windows Server authentication problems in June 2025, which were caused by the April 2025 security updates. Almost a year earlier, in May 2024, it fixed another known issue that triggered NTLM authentication failures and domain controller reboots after deploying the April 2024 Windows Server security updates. In March 2024, it released emergency out-of-band (OOB) updates to fix Windows domain controller crashes after installing the March 2024 Windows Server security patches.
Microsoft is now also investigating a separate issue causing this month's KB5082063 Windows security update to fail to install on some Windows Server 2025 systems.
On Wednesday, it also warned admins that some Windows Server 2025 devices may also prompt users to enter a BitLocker key after deploying the KB5082063 update.
Understanding the LSASS Crash Issue
The Local Security Authority Subsystem Service (LSASS) is a critical Windows process responsible for enforcing security policies, handling authentication requests, and managing user credentials. When LSASS crashes during startup, it triggers an automatic system restart, creating a continuous reboot loop that prevents the server from completing its boot sequence.
This particular issue affects non-Global Catalog domain controllers in environments that use Privileged Access Management (PAM). PAM is a security solution that provides time-limited, granular access to privileged accounts, reducing the attack surface by limiting standing administrative privileges. The interaction between PAM and the April 2026 security updates appears to create a timing conflict during the authentication process early in the startup sequence.
Impact and Affected Systems
The reboot loop issue specifically impacts:
- Windows Server 2025
- Windows Server 2022
- Windows Server 23H2
- Windows Server 2019
- Windows Server 2016
Organizations using PAM with non-Global Catalog domain controllers on these platforms are at risk. Global Catalog servers, which maintain a partial replica of the entire directory, appear to be unaffected by this particular issue.
Microsoft's Response and Mitigation
Microsoft has acknowledged the problem and is actively working on a permanent fix. In the meantime, the company recommends that affected organizations contact Microsoft Support for Business to obtain mitigation measures that can be applied even after the problematic updates have been installed.
This approach allows organizations to maintain their security posture while avoiding the disruptive reboot loops. The support team can provide guidance on temporary workarounds or configuration changes that may prevent the LSASS crashes during startup.
Historical Context: Recurring Domain Controller Issues
This incident is part of a concerning pattern of domain controller problems following Windows security updates. Microsoft has had to address similar issues multiple times in recent years:
- June 2025: Fixed authentication problems caused by April 2025 security updates
- May 2024: Resolved NTLM authentication failures and reboot issues from April 2024 updates
- March 2024: Released emergency out-of-band updates for March 2024 security patches
These recurring issues highlight the complexity of maintaining enterprise Windows environments and the challenges of deploying security updates to critical infrastructure components like domain controllers.
Additional April 2026 Update Issues
Beyond the LSASS crash problem, Microsoft is investigating other issues with the April 2026 security updates:
- Installation failures on Windows Server 2025: Some systems are unable to complete the update process for KB5082063
- BitLocker key prompts: Windows Server 2025 devices may unexpectedly request BitLocker recovery keys after applying the update
These additional complications compound the challenges faced by IT administrators managing Windows Server environments.
Best Practices for IT Administrators
Given the recurring nature of these issues, IT administrators should consider the following approaches when managing Windows Server environments:
Testing and Staging
- Always test security updates in a staging environment that mirrors production
- Verify domain controller functionality after updates before deploying to critical systems
- Maintain rollback procedures and system images for quick recovery
Monitoring and Detection
- Implement monitoring to detect reboot loops and LSASS crashes
- Set up alerts for authentication failures and directory service unavailability
- Monitor update installation success rates across your server fleet
Communication and Planning
- Communicate potential update issues to stakeholders and users
- Schedule maintenance windows with rollback contingencies
- Document known issues and mitigation steps for your team
The Broader Implications
These recurring update issues raise questions about the Windows update process and its impact on enterprise environments. Domain controllers are foundational to Windows network infrastructure, and their instability can cascade into widespread service disruptions.
The pattern of problems suggests that Microsoft's testing processes may not adequately capture the complex interactions in enterprise environments, particularly those using advanced security features like PAM. This creates a challenging situation where organizations must balance security patch deployment against operational stability.
Looking Forward
As Microsoft works on permanent fixes for these issues, organizations should:
- Stay informed through Microsoft's release health dashboard
- Maintain close contact with Microsoft Support for the latest mitigation guidance
- Consider the risk-benefit analysis of immediate versus delayed patch deployment
- Review and update disaster recovery procedures for domain controller failures
While security updates are essential for protecting against vulnerabilities, the recurring nature of these domain controller issues underscores the importance of thorough testing and having robust contingency plans in place.
The Windows Server community will be watching closely for Microsoft's permanent fix and hoping for improvements in the update testing and validation process to prevent similar issues in future security updates.
Comments
Please log in or register to join the discussion