KB5082063 LSASS – Microsoft says some PAM-enabled non-Global Catalog domain controllers can restart repeatedly after KB5082063, due to LSASS crashes during early authentication startup—breaking logins and directory services.
Microsoft has confirmed a new Windows Server reliability problem tied to its April 2026 security updates. In specific enterprise setups, some domain controllers can fall into restart loops after installing KB5082063, driven by Local Security Authority Subsystem Service (LSASS) crashes.
The issue matters most for organizations that rely on Privileged Access Management (PAM) and push authentication traffic as servers boot. Misryoum breaks down what’s happening, who’s likely affected, and why this kind of authentication-layer failure can ripple across an entire network.
LSASS crashes can trap non-Global Catalog domain controllers in reboot cycles
After the April 2026 update (KB5082063) is installed and the server reboots. non-Global Catalog (non-GC) domain controllers in PAM environments may crash during startup.. Microsoft attributes the behavior to LSASS instability that can occur when the system receives authentication requests very early in the boot process.
When LSASS crashes repeatedly, affected domain controllers may keep restarting. The practical outcome is severe: authentication and directory services can stop working, which can prevent users and services from accessing the domain.
Why PAM and early startup authentication are the trigger
This isn’t presented as a general Windows problem for every device. Misryoum notes the conditions are narrow on purpose: the behavior is limited to organizations using PAM, and it’s tied to the timing of authentication handling during startup.
In real deployments, that timing can be influenced by how privileged workflows are wired.. PAM systems often require tight control over administrative access. and they may generate identity and authentication demands that arrive quickly after the server begins processing.. If LSASS encounters a fault at the moment it needs to verify credentials or broker security decisions. the whole domain controller can become unstable.
The bigger risk isn’t just that a server becomes temporarily unavailable—it’s that authentication is a foundational service.. If enough domain controllers are affected. it can degrade login reliability. interrupt service accounts. and complicate recovery attempts while administrators are trying to restore directory operations.
Which Windows Server versions are in the known-issue scope
Microsoft lists affected platforms that include Windows Server 2025, Windows Server 2022, Windows Server 23H2, Windows Server 2019, and Windows Server 2016.. The issue is framed as a known behavior that can surface not only after applying KB5082063. but also during the setup of new domain controllers.
Misryoum’s takeaway for IT teams: treat the update as not just something to “install and forget.” For domain controllers—especially those configured for privileged access workflows—post-patching validation needs to include early-boot stability checks and authentication health verification. not only service uptime.
What administrators can do while a fix is still being worked
Microsoft says it is still working on a fix, but it advises administrators to contact Microsoft Support for Business for mitigation guidance that can be applied even after deploying the April 2026 update.
That phrasing is important for operations planning.. Many enterprises use phased rollouts, change windows, and rapid rollback strategies.. Here. there may not be a simple one-step reversal once KB5082063 is already in place and the environment is producing repeated crashes.. Waiting passively could mean prolonged periods where authentication remains unreliable.
Misryoum also wants to underline a pattern seen repeatedly in Windows patching cycles: security updates can correct one class of issues while triggering unexpected interactions in complex identity architectures.. The domain controller is a high-stakes component. and PAM adds additional layers of identity enforcement that can expose timing and stability edge cases.
Recent Windows domain-controller issues show the stakes of patch timing
Microsoft has had to address multiple domain controller problems linked to security updates in recent years.. Misryoum remembers that in June 2025, Windows Server authentication problems caused by April 2025 security updates were resolved.. Before that. in May 2024. Microsoft fixed an issue that triggered NTLM authentication failures and domain controller reboots after deploying April 2024 Windows Server security updates.
Going further back, March 2024 included emergency out-of-band updates to address domain controller crashes after March 2024 security patches.. Taken together. the history points to one operational lesson: domain controller patching often needs extra caution. more testing. and faster communications inside incident-response channels when things go wrong.
Separate warning: KB5082063 install failures and BitLocker key prompts on Server 2025
While the LSASS restart-loop issue is tied to PAM environments. Microsoft is also investigating a separate problem where KB5082063 may fail to install on some Windows Server 2025 systems.. In addition. admins were warned that some Windows Server 2025 devices might prompt users to enter a BitLocker key after deploying the KB5082063 update.
For Misryoum readers, the takeaway is simple: April 2026 KB5082063 is not a “single risk” update.. It appears to carry multiple operational hazards—some affecting identity infrastructure directly, others affecting patch deployment behavior or disk-encryption workflows.. Enterprises that manage change control should consider widening their validation checklist beyond domain controller functionality.
In the meantime. the most defensible approach is to follow Microsoft’s mitigation guidance for affected PAM setups. monitor domain controller health closely after reboots. and avoid assumptions that “security patch = safe on every server role.” When LSASS is involved. stability can be the difference between routine maintenance and a login outage.
Can Claude Write Z80 Assembly? A Retro Test That Stuck the Landing
Boost Portable Solar Panels Up to 30%: 11 Practical Tips
Cursor eyes $2B+ funding as enterprise AI coding accelerates