โ† CIO Briefings ยท Critical Impact ACTION REQUIRED

April Patch Tuesday Defect Triggers Authentication Outage on PAM Domain Controllers

KB5082063 causes LSASS to crash on non-Global Catalog domain controllers in PAM-enabled environments, creating unrecoverable reboot loops that take Active Directory authentication offline. No corrected update is available. All organisations with PAM-enabled AD must immediately pause KB5082063 deployment on domain controllers and engage Microsoft Support if affected DCs are already looping.

3 min read
#NIS2#DORA

Situation

Microsoftโ€™s April 2026 Patch Tuesday cumulative update (KB5082063, released 14 April) contains a defect that crashes LSASS โ€” the Windows authentication process โ€” on a specific class of domain controller. Non-Global Catalog domain controllers in Active Directory environments where Privileged Access Management is enabled enter an automatic reboot loop post-update and cannot self-recover. Authentication, Kerberos ticket issuance, LDAP directory queries, and group policy processing fail on affected domain controllers for the duration of the loop. Microsoft has confirmed the issue, provided a workaround via Support for Business engagement, and is developing a corrected cumulative update โ€” but none has been released as of 18 April 2026.

Business Impact

Active Directory domain controllers are the authentication backbone of enterprise networks. An affected non-GC domain controller in a reboot loop is unavailable for any authentication or directory service. Depending on which DCs are affected and their functional roles (PDC emulator, RID master, site-local authentication server), the failure may cascade to: user logon failures across the site or domain, loss of access to file shares and applications using integrated Windows authentication, inability to apply group policy, and disruption to privileged administrative workflows that depend on PAM-enabled access tiers. Organisations that have already deployed KB5082063 to domain controllers require immediate triage.

Immediate Actions Required

  1. Pause KB5082063 deployment on all domain controllers โ€” suspend all patch management tasks targeting DCs until the corrected update is available. Non-DC systems (workstations, member servers) are unaffected and may continue receiving the update.
  2. Identify affected DCs โ€” check Windows Update history on all domain controllers. If non-GC DCs in a PAM-enabled forest have received KB5082063, treat them as at risk.
  3. Engage Microsoft Support for Business โ€” Microsoft is providing a targeted mitigation for both already-affected DCs and those that have not yet been updated. This is the preferred remediation path over the architectural workaround.
  4. Do not promote DCs to Global Catalog without architect review โ€” the alternative workaround (promoting non-GC DCs to GC servers) changes replication scope and is not suitable for all site topologies.
  5. Confirm BitLocker recovery key availability for all domain controllers in the estate.

Strategic Tension

Pausing KB5082063 on domain controllers leaves them unprotected against 160+ vulnerabilities addressed by the April batch, including CVE-2026-33824 (Windows IKE unauthenticated RCE, CVSS 9.8) and CVE-2026-33826 (Active Directory RPC RCE, CVSS 8.0). This is an unavoidable trade-off until Microsoft releases the corrected update. Security teams should increase monitoring of domain controller network exposure for exploitation attempts against unpatched April vulnerabilities during the pause window, and accelerate deployment of compensating controls (network segmentation, RPC endpoint firewall rules) where available.

For Board or Executive Briefing

Microsoftโ€™s April security update has a defect that can render domain controllers โ€” the servers controlling who can authenticate to the corporate network โ€” inoperable in organisations using specific enterprise privilege management features. We have paused the update on those servers. Our systems are temporarily more exposed to the vulnerabilities the patch was intended to fix, but a controlled pause is preferable to an authentication outage affecting the entire organisation. We are monitoring Microsoftโ€™s status page and will apply the corrected update as soon as it is released, likely within days.