Microsoft released emergency out-of-band (OOB) updates, after its April Patch Tuesday updates broke domain controllers across multiple Windows Server versions. The issue started with the Local Security Authority Subsystem Service (LSASS). It crashed during boot, which forced servers into continuous restart loops and made authentication services unavailable across affected networks.
This problem was not confined to updated systems. New domain controllers also crashed when they handled authentication requests before the boot sequence completed.
Windows Server 2025 faced a second, separate problem: security update KB5082063 failed to install on some devices, leaving those systems unpatched until the OOB fix arrived.
Action required: If you manage Windows Server domain controllers, apply the relevant OOB update immediately. Do not wait for the next Patch Tuesday cycle.
What Microsoft Fixed in the Emergency Updates
Microsoft released OOB updates for seven Windows Server versions. The Windows Server 2025 fix (KB5091157) resolves both the installation failure and the LSASS reboot issue. Updates for all other versions address only the reboot loop.
| Windows Server Version | KB & OS Build | Type |
|---|---|---|
| Windows Server 2025 | KB5091157 / 26100.32698 | Standard |
| Windows Server 23H2 | KB5091571 / 25398.2276 | Standard |
| Windows Server 2022 | KB5091575 / 20348.5024 | Standard |
| Windows Server 2019 | KB5091573 / 17763.8647 | Standard |
| Windows Server 2016 | KB5091572 / 14393.9062 | Standard |
| Server 2025 Datacenter: Azure Edition | KB5091470 / 26100.32704 | Hotpatch |
| Server 2022 Datacenter: Azure Edition | KB5091576 / 20348.5029 | Hotpatch |
“The Windows Server 2025 OOB update (KB5091157) addresses both the installation failure issue and the domain controller restart issue. OOB updates released for other supported Windows Server versions address only the domain controller restart issue.”— Microsoft, Windows Message Center
BitLocker recovery adds a third complication
Microsoft also warned admins that some Windows Server 2025 devices boot into BitLocker recovery mode after installing KB5082063 — the same update that fails to install on certain systems. Affected users must enter a BitLocker recovery key before the server comes back online, adding manual intervention to an already disruptive situation.
Windows Server Is Stuck in a Cycle of Emergency Fixes
This isn’t an isolated incident. Microsoft has already released several rounds of emergency updates in 2026 alone. Earlier fixes addressed a Bluetooth device visibility bug and security vulnerabilities in the Routing and Remote Access Service (RRAS) management tool affecting hotpatch-enabled Windows 11 Enterprise devices. Two other OOB rounds resolved broken Microsoft account sign-ins and installation failures tied to the March 2026 non-security preview update.
Microsoft also recently patched a long-standing bug — present since September 2024 that caused Windows Server 2019 and 2022 machines to upgrade themselves to Windows Server 2025 without administrator approval.
What to Do If Your Servers Are Affected
Act immediately if your environment runs any affected Windows Server version. Apply the correct out-of-band (OOB) update using the KB numbers listed above instead of waiting for the next Patch Tuesday cycle. For Windows Server 2025, installing KB5091157 resolves all known issues, including the LSASS reboot loop, the KB5082063 installation failure, and the unexpected BitLocker recovery prompt.
For other Windows Server versions, install the respective OOB updates to stop the reboot loop and restore domain controller stability. If you run Azure Edition servers, use the hotpatch updates instead of standard packages. After applying the update, restart the system and verify that authentication services and domain controller operations return to normal.
FAQs
What caused the Windows Server reboot loop issue?
The reboot loop was caused by crashes in the Local Security Authority Subsystem Service (LSASS) after the April 2026 security update, which made domain controllers restart continuously and broke authentication services.
Which Windows Server versions are affected after the April 2026 update?
The issue affects multiple versions, including Windows Server 2025, 23H2, 2022, 2019, and 2016, along with Azure Edition servers that require hotpatch updates.
Does the Windows Server emergency patch fix all April 2026 update issues?
The Windows Server 2025 update (KB5091157) fixes both the reboot loop and installation failure, while updates for other versions primarily fix the domain controller restart issue.
Why did some servers enter BitLocker recovery mode?
Some Windows Server 2025 systems entered BitLocker recovery after installing the April update, requiring administrators to manually enter recovery keys before accessing the system.
