Microsoft Confirms LSASS Crashes Are Putting Some Domain Controllers into Reboot Loops

What Happened

Microsoft confirmed this week that the April 2026 Windows security update (KB5082063) is causing Local Security Authority Subsystem Service (LSASS) crashes on non-Global Catalog domain controllers running Privileged Access Management (PAM). Affected servers enter restart loops during early startup, before authentication and directory services can come online. The scope includes Windows Server 2025, 2022, 23H2, 2019, and 2016 — essentially every modern Windows Server release still in production. Microsoft is actively working on a fix and has advised affected organizations to contact Microsoft Support for Business for mitigation steps that can be applied post-update.

Why It Matters

Domain controllers are not optional. When LSASS crashes on a DC, the directory goes down — authentication fails, GPOs don't apply, and in many environments the domain simply becomes unavailable. This is not a desktop bug that inconveniences a few users. For organizations running PAM topologies (common in enterprises with privileged identity management requirements), this is an availability incident waiting to happen in any environment that hasn't patched yet — and possibly already happening for those that have. The pattern of April updates causing DC authentication issues is becoming a troubling annual tradition for Microsoft.

What Defenders Should Do

First, check your DC health NOW if you've already deployed KB5082063 — look for event ID 1000 errors with faulting module lsass.exe. If you're still in your deployment window, test on a non-production DC before rolling out. For environments running PAM, prioritize identifying your non-GC DCs and flag them as sensitive — do not patch those without a tested rollback plan. If you're already affected, engage Microsoft Support immediately; do not attempt to manually restore lsass.exe on a domain controller without guidance. Consider temporarily disabling automatic Windows Update deployment for DC workloads and routing those through your change management process with staged rollout controls.

What It Signals

This is the third consecutive April update cycle where Microsoft security patches have broken domain controller authentication in some way. April 2024 caused NTLM failures and DC reboots. April 2025 caused Windows Server authentication problems. April 2026 is now causing LSASS crashes on PAM DCs. The pattern suggests Microsoft is still struggling to fully regression-test AD authentication paths across diverse PAM configurations before shipping security updates. For security teams, the lesson is that "patch Tuesday" for domain controllers is not a trivial event — it needs the same staged rollout discipline you'd apply to any critical infrastructure change. Auto-patching DCs was always a bad idea; incidents like this one confirm it.

References

Microsoft Release Health Dashboard: Known Issue KB5082063

BleepingComputer: Microsoft Warns of Reboot Loops Affecting Some Domain Controllers

BleepingComputer: Microsoft Fixes Windows Server Auth Issues (April 2025)

BleepingComputer: Emergency Fix for Windows Server Crashes (March 2024)