Microsoft Issues Emergency Out‑of‑Band Updates to Stop Windows Server Domain Controller Crashes and Installation Failures
What Happened — Microsoft released out‑of‑band (OOB) patches for multiple Windows Server releases after the April 2026 Patch Tuesday updates caused installation failures on Server 2025 and forced domain‑controller servers to enter a restart loop due to LSASS crashes. The same updates also triggered BitLocker recovery prompts on some Server 2025 machines and unintentionally upgraded older servers to Server 2025.
Why It Matters for TPRM
- Critical infrastructure and SaaS providers often run Windows Server as a core component; a restart loop can halt authentication services enterprise‑wide.
- Installation‑failure bugs delay security‑patch deployment, extending exposure windows for known CVEs.
- Unexpected BitLocker recovery prompts can lead to data‑access interruptions and operational downtime for downstream customers.
Who Is Affected — Enterprises across all verticals that operate Windows Server 2016‑2025, especially those using domain‑controller roles, Azure‑enabled hot‑patch environments, and organizations relying on BitLocker for disk encryption.
Recommended Actions
- Verify that the OOB updates (KB5091157, KB5091571‑5, KB5091470, KB5091576) have been applied to all affected servers.
- Test domain‑controller restart behavior in a staging environment before production rollout.
- Review BitLocker recovery policies and ensure recovery keys are securely stored.
- Re‑evaluate patch‑management timelines; consider a “rapid‑response” window for future OOB releases.
Technical Notes — The root cause appears to be a regression in the LSASS handling of early authentication requests and a conflict between KB5082063 and the server’s boot sequence, leading to LSASS crashes and BitLocker key prompts. No public CVE numbers were assigned to the regression itself, but the issue compounds existing CVEs addressed in the April 2026 security bundle. Source: BleepingComputer