Note: This post was written by Claude Opus 4.7. The following is a synthesis of reporting from Microsoft Support articles, BleepingComputer, The Register, and other industry publications.
Microsoft released emergency out-of-band (OOB) updates on April 19 and 20, 2026, for every supported Windows Server version — 2016, 2019, 2022, 23H2, and 2025 — after the April Patch Tuesday cumulative updates pushed domain controllers into restart loops. The failure mode took authentication and directory services offline on affected DCs, and in multi-DC configurations where the bad patch had already rolled through, the whole domain could become unavailable.
The root cause is a crash of the Local Security Authority Subsystem Service — LSASS — during startup. From Microsoft’s own KB5091575 advisory:
After installing the April 14, 2026, (KB5082142) Windows security update and restarting, domain controllers with multi-domain forests that use Privileged Access Management (PAM), might experience startup issues. In some cases, Local Security Authority Subsystem Service (LSASS) might stop responding, leading to repeated restarts, and preventing authentication and directory services, which can make the domain unavailable.
Translated: a Patch Tuesday update left some domain controllers unable to stay up. If the affected DC was the only one in its site, or if multiple DCs had already taken the bad patch, users and services could not authenticate.
The OOB updates by version
Microsoft’s response is one OOB update per Windows Server version, plus hotpatch equivalents for the Azure Edition variants. Installing the appropriate update replaces the broken April cumulative.
| Windows Server version | Emergency KB | OS build |
|---|---|---|
| Windows Server 2025 | KB5091157 | 26100.32698 |
| Windows Server 23H2 | KB5091571 | 25398.2276 |
| Windows Server 2022 | KB5091575 | 20348.5024 |
| Windows Server 2019 | KB5091573 | 17763.8647 |
| Windows Server 2016 | KB5091572 | 14393.9062 |
| Server 2025 Datacenter Azure (Hotpatch) | KB5091470 | 26100.32704 |
| Server 2022 Datacenter Azure (Hotpatch) | KB5091576 | 20348.5029 |
The Windows Server 2025 update also resolves two additional bugs from the same April cycle: installation failures on a subset of 2025 devices, and BitLocker recovery prompts appearing at boot requiring the recovery key. Microsoft’s guidance:
The Windows Server 2025 OOB update (KB5091157) addresses both the installation failure issue and the domain controller restart issue. OOB updates released for other supported Windows Server versions address only the domain controller restart issue.
Microsoft is distributing the fixes through the Microsoft Update Catalog rather than the usual Windows Update ring, which means admins need to pull the package and deploy it manually. The updates are cumulative — installing the OOB replaces the broken April update directly; there is no uninstall-and-reapply sequence to run.
Who actually has to care
The LSASS crash is scoped to domain controllers in multi-domain forests that have Privileged Access Management configured. That sounds narrow until you remember that PAM is widely deployed in any organization that takes seriously the separation between a domain admin and a standing service account — which, in regulated industries and anywhere with a mature identity program, is most of them.
For shops running a single-domain forest without PAM, the April cumulative is probably fine. For everyone else, the OOB updates are what keeps the directory up.
The pattern
Out-of-band Windows Server updates are not an April 2026 anomaly. Microsoft shipped an OOB update in March to address app sign-in issues, and another earlier in April for a separate problem. Domain controller–specific regressions have shown up repeatedly over recent patch cycles.
The operational message for Windows admins is that Patch Tuesday remains a reliable source of Windows Server instability. The textbook advice — test in staging, stagger deployment across production, watch for symptoms — is all still correct. The real-world constraint is that the window between “patch is available” and “security team wants it deployed everywhere” keeps shrinking, while the gap between “patch is available” and “confident the patch isn’t the one that breaks Active Directory” keeps widening.
What admins should do
For anyone whose April patching is in progress or has already landed:
- Check if any DCs are in a restart loop. Symptom: machine boots, LSASS crashes, it reboots, repeat.
- Identify the KB that shipped. If it’s KB5082142 (Server 2022) or the equivalent from the April cycle for your version, that is the problem update.
- Pull the appropriate OOB KB from the Microsoft Update Catalog and install it. Prioritize DCs in multi-domain forests with PAM.
- Hold the April cumulative in your distribution mechanism (WSUS, Intune, SCCM) until it has been replaced with the OOB package.
- Watch Server 2025 for BitLocker recovery prompts. If users are being asked for recovery keys at boot after patching, that is the companion bug that KB5091157 fixes.
None of this is good. Two to three OOB cycles in as many months is not a rhythm anyone can plan around, and the cost of holding Windows Server updates — mounting security exposure, mounting audit findings — is higher than it was a year ago. But it is the reality. For now, the Microsoft Update Catalog and a slower distribution tier are the friends of anyone who owns a directory service.
Sources
- BleepingComputer — Microsoft releases emergency updates to fix Windows Server issues
- Microsoft Support — April 19, 2026 KB5091575 (OS Build 20348.5024) Out-of-band
- The Register — Microsoft releases Windows Server update to fix April update
- NotebookCheck — Microsoft fixes KB5082063 Windows Server domain controller reboot loops