Microsoft Issues Emergency Patch KB5091157 After April Updates Crash Domain Controllers

Five days after Microsoft’s April 2026 Patch Tuesday delivered 167 CVE fixes, two serious post-patch regressions emerged that threaten core Active Directory infrastructure. Microsoft released emergency out-of-band (OOB) updates on April 19 2026 for all affected Windows Server versions.

What Happened

Two distinct failures followed the April 8 cumulative update:

1. LSASS crash loop on non-Global Catalogue domain controllers. Domain controllers without the Global Catalogue (GC) role in Privileged Access Management (PAM) deployments running Windows Server 2016 through 2025 began entering continuous reboot loops. The April cumulative update caused LSASS (Local Security Authority Subsystem Service) to crash repeatedly, preventing the DC from completing startup and rendering it unavailable for authentication services.

2. BitLocker recovery mode on Windows Server 2025. A separate issue caused a subset of Windows Server 2025 systems to boot into BitLocker recovery after the update was applied, requiring physical or remote console access to enter the recovery key before the system would boot normally.

Affected Versions and OOB Patches

These updates are cumulative and supersede the April 8 Patch Tuesday updates. They do not roll back any of the April security fixes.

Operational Impact

The LSASS crash loop failure has a cascade effect far beyond the individual domain controller. Active Directory authentication becomes unavailable for every service, application, and device relying on Kerberos or NTLM in the affected domain. In multi-DC deployments, domain controllers with the Global Catalogue role remained stable — but PAM environments often restrict GC placement, and branch-office deployments with a single non-GC domain controller faced complete authentication outages.

The BitLocker recovery scenario required manual recovery key entry before normal boot — a significant operational burden for server estates managed remotely or without a mature BitLocker key escrow process. Organisations without keys stored in AD DS, Entra ID, or MBAM faced extended outages.

Recommended Actions

• Install the appropriate OOB update immediately on all affected Windows Server versions — prioritise domain controllers and PAM hosts first, then all other Windows Server deployments.
• Verify LSASS stability post-patch by reviewing Windows Event Log for Error ID 1000 (Application Fault, source: lsass.exe) before confirming resolution.
• Confirm BitLocker recovery key availability for all Windows Server 2025 systems — keys should be accessible in AD DS, Entra ID, or MBAM before applying any future cumulative update.
• Establish a staged DC patching ring that includes at least one non-GC domain controller in a non-production environment before production rollout; the April incident demonstrates that PAM-specific regression can pass standard patching tests undetected.
• Review update deferral configuration for domain controller update rings — organisations with a seven-day deferral policy had the opportunity to detect and defer the problematic update before production DCs were affected.

Broader Context

Post-patch regressions affecting Active Directory carry disproportionate operational risk compared to failures on member servers or workstations. An LSASS crash loop on a domain controller cascades into authentication failures across every service, application, and device relying on that DC — including VPN authentication, remote desktop, and any application using Kerberos-based single sign-on. This makes domain controller patching a genuinely distinct risk category that warrants its own testing pipeline, separate monitoring, and a clearly documented rollback procedure.

The April incident also highlights the risk of deploying cumulative updates uniformly across all server roles on the same day. Domain controllers in PAM configurations represent a specialised subset; regression testing on standard member servers did not surface the failure before production deployment.