Microsoft ships out-of-band patches after April updates crash Windows Server domain controllers

Microsoft pushed emergency updates across every supported Windows Server release after the April 2026 Patch Tuesday rollout broke core infrastructure. The primary failure mode was an LSASS crash loop on domain controllers — servers processing authentication requests early in boot would repeatedly restart, a condition that also hit fresh DC promotions. A separate issue blocked the KB5082063 security update from installing cleanly on Windows Server 2025.

The OOB set covers Server 2016 through 2025, including the Azure Edition hotpatch variants. Only the Server 2025 update (KB5091157) fixes both the install failure and the DC restart loop; the other builds address the LSASS loop alone. Microsoft separately flagged that some Server 2025 machines boot into BitLocker recovery after KB5082063 and prompt for the recovery key.

This is the latest in a sustained run of regressions in the Windows Server servicing stream — a September 2024 bug was only just resolved that was silently upgrading Server 2019 and 2022 hosts to 2025, and recent months have produced OOB fixes for RRAS vulnerabilities, Bluetooth discovery, and broken Microsoft account sign-ins. The cumulative pattern suggests pre-release validation on server SKUs, particularly identity-critical roles, is not catching regressions that enterprises then absorb in production.