Microsoft has released out-of-band (OOB) emergency updates to resolve multiple critical issues affecting Windows Server systems after installing the April 2026 security updates. The updates address installation failures, LSASS crashes causing restart loops on domain controllers, BitLocker recovery prompts, and an unexpected upgrade bug that has plagued servers since September 2024.
LSASS Crashes Causing Domain Controller Restart Loops
The most severe issue addressed by these emergency updates involves the Local Security Authority Subsystem Service (LSASS) crashing on Windows servers running domain controller roles. This causes affected servers to enter an endless restart loop, rendering them unavailable for authentication and network services.
Microsoft warned that this issue may occur when setting up new domain controllers or on existing ones if the server processes authentication requests very early during the startup sequence. Given that domain controllers are critical infrastructure components handling authentication for entire networks, this bug could have significant enterprise impact.
To address the LSASS restart loop issue, Microsoft has released emergency updates for various Windows Server versions:
- Windows Server 2025: KB5091157 (OS Build 26100.32698)
- Windows Server, version 23H2: KB5091571 (OS Build 25398.2276)
- Windows Server 2022: KB5091575 (OS Build 20348.5024)
- Windows Server 2019: KB5091573 (OS Build 17763.8647)
- Windows Server 2016: KB5091572 (OS Build 14393.9062)
- Windows Server 2025 Datacenter: Azure Edition: Hotpatch KB5091470 (OS Build 26100.32704)
- Windows Server 2022 Datacenter: Azure Edition: Hotpatch KB5091576 (OS Build 20348.5029)
Installation Failure on Windows Server 2025 Resolved
Microsoft confirmed last week that some administrators experienced failures when installing the KB5082063 security update on Windows Server 2025 devices. This installation failure left servers in an inconsistent state and prevented critical security patches from being applied.
The emergency update KB5091157 (OS Build 26100.32698) resolves this installation failure issue for Windows Server 2025, ensuring that administrators can successfully deploy the April 2026 security updates without encountering errors.
BitLocker Recovery Issue on Windows Server 2025
On Wednesday, Microsoft also warned administrators that some Windows Server 2025 devices would boot into BitLocker recovery and prompt users to enter a BitLocker key after installing the KB5082063 Windows security update. This unexpected behavior could cause server downtime and access issues, particularly in environments where BitLocker recovery keys are not readily available or properly documented.
The emergency updates address this BitLocker recovery issue, preventing servers from becoming inaccessible after applying the April security updates.
Unexpected Upgrade Bug Finally Fixed
Microsoft has finally addressed a long-standing bug that has been affecting Windows servers since September 2024. This issue caused devices running Windows Server 2019 and Windows Server 2022 to unexpectedly upgrade to Windows Server 2025 without administrator consent.
This unexpected upgrade behavior could disrupt production environments, cause compatibility issues with existing applications, and create licensing complications. The fix ensures that servers remain on their current operating system version unless explicitly upgraded by administrators.
Additional Security Issues Addressed
Since the start of the year, Microsoft has also released emergency updates to resolve other notable issues:
- A Bluetooth device visibility bug affecting Windows 11 Enterprise devices with hotpatch enabled
- Security vulnerabilities in the Routing and Remote Access Service (RRAS) management tool that impact hotpatch-enabled Windows 11 Enterprise devices
These additional patches highlight Microsoft’s ongoing efforts to address both functional bugs and security vulnerabilities in enterprise-focused Windows environments.
Recommendations for Administrators
Given the critical nature of these issues, administrators should prioritize applying these emergency updates as soon as possible. The LSASS crashes and BitLocker recovery issues can cause significant server downtime and access problems, while the unexpected upgrade bug could disrupt production environments.
Before applying updates, administrators should:
- Ensure BitLocker recovery keys are documented and accessible
- Verify backup systems are operational
- Schedule maintenance windows to minimize disruption
- Test updates in non-production environments when feasible
Microsoft’s emergency updates are available through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. Administrators should verify they are deploying the correct KB for their specific Windows Server version and edition.
These out-of-band releases underscore the severity of the issues introduced by the April 2026 security updates and the importance of thorough testing before deploying patches in enterprise environments.
Source: Original article