KB5082063:
domain controllers crashing after the April patch

What happened

After installing the Microsoft KB5082063 update, shipped with the April 2026 Patch Tuesday, some Windows Server domain controllers enter an endless reboot loop because of an error in LSASS (Local Security Authority Subsystem Service). Microsoft has acknowledged the issue as a known problem in the product Release Health, noting that it primarily affects domain controllers that are not Global Catalog and that operate in environments with Privileged Access Management (PAM) enabled. Affected versions are Windows Server 2016, 2019, 2022, 23H2 and 2025.

Microsoft has also acknowledged a second related issue: on some Windows Server 2025 systems, the update fails to install correctly, and on other systems an unexpected BitLocker recovery key prompt may appear after the post-update reboot — an event that, if the key is not properly archived, can leave a server inaccessible. The permanent fix is in development; in the meantime Microsoft offers workarounds via enterprise support.

How to recognise the issue

The symptoms are concrete and visible within a few hours of installing KB5082063. If any of the following appears right after the April 2026 patch cycle, it is very likely the Microsoft known issue:

• Domain controller in continuous reboot — the server reboots in a loop, often without completing service start-up. The Event Log shows LSASS crashes (Event ID 1000), 4625 authentication failures and Application Log entries related to the security subsystem.
• Active Directory unreachable — clients cannot log on, group policies do not apply, Kerberos/NTLM calls fail. If the affected DC is the only reachable one for a site, the whole branch goes offline.
• BitLocker recovery prompt after reboot — some servers, after the post-install reboot, show the BitLocker recovery key prompt. If the key is not archived in Active Directory or Microsoft Entra ID, the system stays locked.
• Failing installation on Windows Server 2025 — the package does not apply correctly on some 2025 systems, leaving the server in a partial-patch state that may cause abnormal behaviour until the next cumulative update.

Operational mitigations

While waiting for the Microsoft fix, here are the mitigations with immediate effect in production:

• 1Pause KB5082063 on DCs not yet updated — use WSUS, Windows Update for Business or SCCM/Intune policies to pause KB5082063 deployment on domain controllers awaiting the fix, while keeping the patch on workstations, file servers and application servers.
• 2Restore the pre-patch snapshot on affected DCs — if you have a consistent snapshot of the domain controller before installation, rollback is the fastest path. On a DC, a rollback must always be coordinated with Active Directory replication to avoid unintentional USN rollback. Backup and disaster recovery.
• 3Isolate the crashing DC and balance authentications — if multiple DCs are available, temporarily exclude the affected one from client DNS resolution (by removing it from the SRV records or shutting it down) and route authentications to the healthy DCs, prioritising the Global Catalog.
• 4Recover the BitLocker keys for your servers — verify in advance that server recovery keys are archived in Active Directory or Microsoft Entra ID. For environments that do not, this is the moment to enable automatic key escrow to avoid finding yourself with an encrypted server and no key at hand. Microsoft 365 and identity.
• 5Open an enterprise case with Microsoft — official workarounds for the LSASS crash are currently delivered through enterprise support. If the issue is blocking, this is the fastest and most traceable official path.

Structured patch management as prevention

KB5082063 is not the first Microsoft update to break core domain controller components, and it will not be the last. The same April 2026 cycle also brought the Kerberos enforcement and RC4 topic on Active Directory. For SMEs, the operational lesson is the same: Microsoft updates are not installed «on the fly» on critical systems. Controlled windows, pre-patch snapshots, a pilot ring and a documented rollback matrix are required.

AtWorkStudio manages patch management for clients’ critical systems with deployment rings, pre-production tests, consistent snapshots and agreed windows for high-risk installations. We have been operating from Piacenza (Italy) since 2000. We are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, ACN-qualified for SaaS cloud services, members of Clusit (Italian Association for Information Security) and associated with Confindustria Piacenza in the RICT cluster.