There is a bitter irony in a security patch disabling the very infrastructure that enterprise security runs on — but that is exactly what Microsoft's April 2026 update has managed to do.
Microsoft has confirmed that KB5082063, its April 2026 cumulative security update, is causing Windows domain controllers (the servers that manage user authentication and access across corporate networks) to crash and enter endless restart loops.
The culprit is LSASS — the Local Security Authority Subsystem Service — a core Windows process that handles login requests and enforces security policies. When LSASS fails on a domain controller, the entire domain can go dark.
The problem occurs specifically on non-Global Catalog domain controllers in environments running Privileged Access Management (PAM), a security framework enterprises use to tightly control administrator-level access. After the update is installed and the server reboots, LSASS crashes mid-startup — then the server reboots again, and again, in a loop that prevents authentication and directory services from coming back online.
Microsoft has also warned that this can occur when provisioning brand-new domain controllers or when processing authentication requests early in the startup sequence on existing ones.
Five Windows Server versions are confirmed affected: 2025, 2022, 23H2, 2019, and 2016 — essentially the entire modern enterprise server fleet.
No permanent fix exists yet. Microsoft is directing affected administrators to contact Microsoft Support for Business, where a mitigation is available — one that can reportedly be applied even after the problematic update has already been installed, removing the need to roll back the patch entirely.
This is not a one-off stumble. Microsoft has shipped domain controller-breaking updates in March 2024, April 2024, and April 2025. The pattern is becoming difficult to ignore for enterprise IT teams whose patch management workflows now need to account for the possibility that security updates will break authentication infrastructure.
KB5082063 also carries two other known issues: a failure to install on some Windows Server 2025 systems, and a separate bug that prompts BitLocker recovery key entry on devices with specific Group Policy configurations.
Organisations running PAM environments should deploy KB5082063 and monitor Microsoft's Windows Release Health dashboard closely until a permanent fix ships.