April 2026 Windows Server patch causes reboot loops on PAM domain controllers

If you manage a Windows Server environment you have one more reason to carefully look at April 2026 updates: some domain drivers are entering restart loops after applying this month's security patch, and the apparent cause is a failure in the Local Security Authority SubService (LSASS) process during boot.

LSASS is the system component responsible for validating credentials and managing security at domain level. When that service fails very early in the start process, the server can reboot repeatedly before the directory services are operational, leaving network equipment without authentication capacity and can cause the domain to become useless until the problem is solved. The problem, according to Microsoft, mainly affects domain controllers who are not Global Catalogue and who operate in environments using Privileged Access Management (PAM).

Microsoft identifies the affected update with the April 2026 label (KB5082063) and notes that the affected versions include Windows Server 2016, 2019, 2022, 23H2 and Server 2025. The company has published information on its launch status panel and recommends that managers contact their commercial support to receive indications and palliative measures that can be applied even if the update has already been installed. You can check the official information on the status of the versions on Microsoft's Release Health portal: https: / / learn.microsoft.com / en-us / windows / releases /, and review the update guide in the Microsoft Security Update Guide: https: / / msrc.microsoft.com / update-guide.

It is important to note that This setback is not general for personal equipment but is limited to managed environments that use Privileged Access Management for Active Directory. If you want to deepen what PAM is and how it alters the authentication flow in Active Directory, Microsoft has technical documentation on the subject: Advanced Access Management for Active Directory.

In addition to the restart problem, Microsoft has warned of other side effects associated with the same update: on some servers with Windows Server 2025 the patch installation could fail, and on certain equipment a BitLocker recovery key request may appear after the update. If your organization uses BitLocker it is recommended to have the recovery keys at hand and to review the official guides on its management: BitLocker Recovery Guide.

The concern is understandable: in recent years Microsoft has had to deal several times with problems related to updates that affected domain drivers and authentication in Windows Server. In 2025 and 2025, incidents had already occurred, which had forced out-of-cycle corrections or temporary warnings and solutions. This recurrence highlights how critical it is to carefully plan the application of patches in active directory infrastructure.

What can administrators do while Microsoft publishes a final solution? The most prudent thing is to act with caution: avoid restarting or updating all domain drivers at the same time, prioritize patch testing in pre-production environments, and maintain identified recovery procedures (virtual machine snapshots, system status backups, BitLocker key documentation). If you have already met the problem, Microsoft urges you to open a case with its business support to obtain specific instructions and mitigation applicable after installation: Contact Microsoft Support for Business.

It is also appropriate to monitor system records in search of LSASS failure signals and recurrent reinitials, and to temporarily isolate the affected drivers to prevent them from preventing the operation of the domain. Avoid extrapolating the incidence to workstations not managed by an IT team can save unnecessary alarms: The focus on MAP environments and non-GC controllers limits the scope of the problem outside corporate infrastructure.

The situation is a reminder that, in critical infrastructure such as Active Directory, patch management must combine speed - to close vulnerability vectors - with caution, testing and reversal plans. Stay alert to Microsoft's status and security panel updates and, if you have responsibilities over production domains, prioritize communication with support providers to minimize operational impact.

If you want me to review the internal communication you're sending to your IT team or help you write a pre-check checklist to apply this patch to your servers, tell me and I'll prepare it.