πŸ›‘οΈ SecOps

April Patch Tuesday Bug Crashes LSASS on PAM-Enabled Domain Controllers β€” No Fix Yet

KB5082063, Microsoft's April 2026 cumulative update, is causing LSASS to crash on non-Global Catalog domain controllers in Privileged Access Management environments, triggering unrecoverable reboot loops that take down Active Directory authentication. Microsoft has confirmed the issue across all Windows Server versions from 2016 to 2025 and is developing a corrected update, but none is available yet.

4 min read
#patch-tuesday#windows-server#active-directory#lsass#incident-response#microsoft

Microsoft’s April 2026 cumulative update has introduced a post-deployment stability failure on a specific class of domain controllers. The bug puts Active Directory authentication at risk of complete outage and has no released fix as of 18 April β€” a precarious position for any enterprise that has already deployed the update to its domain controllers.

What Happened

Cumulative update KB5082063, released 14 April 2026 as part of April Patch Tuesday, triggers a crash in the Local Security Authority Subsystem Service (LSASS) during the post-reboot startup sequence on non-Global Catalog domain controllers in environments where Privileged Access Management is enabled for Active Directory. Because LSASS is responsible for Windows authentication, the crash is immediate and unrecoverable without administrator intervention: the domain controller restarts automatically, re-enters the same faulty authentication codepath, and enters a perpetual reboot loop.

The result is a self-inflicted denial of service against Active Directory. User logon, Kerberos ticket issuance, group policy processing, and all LDAP-bound applications stop functioning on affected domain controllers for the duration of the loop.

Which Environments Are Affected

Microsoft confirmed the issue across the following Windows Server versions:

  • Windows Server 2025
  • Windows Server 2022 and 23H2
  • Windows Server 2019
  • Windows Server 2016

Two conditions must both be present for the crash to trigger: the domain controller must be a non-Global Catalog server, and the AD forest must have Privileged Access Management enabled. Domain controllers already designated as Global Catalog servers are unaffected. Environments where PAM has not been configured are unaffected. End-user workstations and non-DC member servers are not exposed regardless of configuration.

KB5082063 is also the third confirmed known issue from the April Patch Tuesday batch β€” the earlier two involved sign-in failures and an LSASS memory leak β€” which warrants a careful staged-deployment review before advancing the update further in the environment.

Available Workarounds

Microsoft has not released an out-of-band corrected update as of 18 April. Two mitigations are available:

Engage Microsoft Support for Business. Microsoft is distributing a targeted mitigation applicable to domain controllers that have already received KB5082063 and to those that have not yet been updated. This is the recommended path: it does not require Active Directory architecture changes.

Temporarily promote affected DCs to Global Catalog servers. This removes the triggering condition by eliminating the non-GC status. Microsoft explicitly notes this is a temporary measure β€” Global Catalog promotion expands a server’s replication scope, increases storage and bandwidth consumption, and should be reviewed against the site topology before implementation. It is not appropriate to apply broadly without an AD architect’s assessment.

  • Pause KB5082063 deployment on all domain controllers immediately. Suspend any scheduled patch management tasks targeting DCs. The update may continue rolling out to non-DC systems (workstations, member servers) where the defect does not apply.
  • Audit which DCs have already received KB5082063. Check Windows Update history. If affected DCs are in a PAM-enabled environment and are non-GC servers, assess whether any have entered or are at risk of entering the reboot loop.
  • If a DC is already in a reboot loop: engage Microsoft Support for Business for the available mitigation. Do not promote to Global Catalog without reviewing the site topology and consulting your AD architect.
  • Maintain offline BitLocker recovery keys for all domain controllers β€” any manual recovery operation on a looping DC may require them.
  • Monitor the Windows Server release health dashboard for updates to KB5082063’s known issue status. Subscribe to health alerts for prompt notification when a corrected update is available.

Broader Context

Patch deployment pauses on domain controllers are operationally significant β€” they leave the AD tier unprotected against the 160-plus vulnerabilities addressed by the April batch, including CVE-2026-33826 (AD RPC RCE, CVSS 8.0) and CVE-2026-33824 (Windows IKE unauthenticated RCE, CVSS 9.8). The trade-off between patching risk and outage risk is a genuine tension that security and infrastructure teams must resolve together. The standard guidance applies: tier your patching, test on non-production DCs first, and never treat Patch Tuesday as a same-day deploy on critical authentication infrastructure.

Share this article