Microsoft has confirmed that some Windows domain controllers are entering restart loops due to Local Security Authority Subsystem Service (LSASS) crashes after installing the April 2026 security updates.
The company also warned that Windows admins may encounter this issue when setting up new domain controllers, or even on existing ones, if the server processes authentication requests very early in the startup process.
“After installing the April 2026 Windows security update (KB5082063) and rebooting, non‑Global Catalog (non‑GC) domain controllers (DCs) in environments that use Privileged Access Management (PAM), might experience LSASS crashes during startup,” Microsoft said in a release health dashboard update.
“As a result, affected DCs may restart repeatedly, preventing authentication and directory services from functioning, and potentially rendering the domain unavailable.”
This known issue only impacts organizations using Privileged Access Management (PAM) and is unlikely to affect personal devices that aren’t managed by an IT department. The list of affected platforms includes systems running Windows Server 2025, Windows Server 2022, Windows Server 23H2, Windows Server 2019, and Windows Server 2016.
While Microsoft is still working on a fix, it advised IT administrators to contact Microsoft Support for Business for mitigation measures that can be applied even after deploying the April 2026 update.
Microsoft has addressed multiple domain controller issues caused by security updates in recent years, most recently resolving Windows Server authentication problems in June 2025, which were caused by the April 2025 security updates.
Almost a year earlier, in May 2024, it fixed another known issue that triggered NTLM authentication failures and domain controller reboots after deploying the April 2024 Windows Server security updates.
In March 2024, it released emergency out-of-band (OOB) updates to fix Windows domain controller crashes after installing the March 2024 Windows Server security patches.
Microsoft is now also investigating a separate issue causing this month’s KB5082063 Windows security update to fail to install on some Windows Server 2025 systems.
On Wednesday, it also warned admins that some Windows Server 2025 devices may also prompt users to enter a BitLocker key after deploying the KB5082063 update.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
