PSA: Domain controllers may restart repeatedly after installing April security update
Posted by AspiringTechGuru@reddit | sysadmin | View on Reddit | 82 comments
This was sent via email from the windows release health subscription, be careful with the latest update on domain controllers
———
Domain controllers may restart repeatedly after installing April security update
Status
Confirmed
Affected platforms
Server Versions
Message ID
Originating KB
Resolved KB
Windows Server 2025
WI1282748
KB5082063
-
Windows Server 2022
WI1282749
KB5082142
-
Windows Server 2019
WI1282750
KB5082123
-
Windows Server 2016
WI1282751
KB5082198
-
After installing the April 2026 Windows security update (the Originating KBs listed above) and rebooting, non‑Global Catalog (non‑GC) domain controllers (DCs) in environments that use Privileged Access Management (PAM), might experience LSASS crashes during startup. As a result, affected DCs may restart repeatedly, preventing authentication and directory services from functioning, and potentially rendering the domain unavailable.
In some environments, this issue can also occur when setting up a new domain controller, or on existing DCs if authentication requests are processed very early during startup.
Note: This issue affects Windows Server only. It does not impact consumer PCs or personal devices. The scenario is unlikely to be observed on individual-use devices that are not managed by an IT department.
Workaround: IT administrators can reach out to Microsoft Support for business to access a mitigation. This mitigation can be applied to devices that already have installed the April 2026 update or prior to installing it.
Resolution: Microsoft is working to address this issue and will release a resolution in the next coming days.
Affected versions:
Client: None
Server: Windows Server 2025; Windows Server 2022; Windows Server, version 23H2; Windows Server 2019; Windows Server 2016
youcomp@reddit
Getting the incorrect password error for both DC admin and local admin 🤦🏻
AspiringTechGuru@reddit (OP)
Did you make sure you didn’t have any more RC4 usage in your environment? Not sure if this is related to your scenario but worth reading if you haven’t yet: Kerberos and the End of RC4
rhapcity@reddit
Satya Nadella: "I vide coded the April 2026 CUs using Copilot and just laid off a few thousand developers."
TheGreatAutismo__@reddit
~~Satya Nadella~~
Slopya Nutella FTFY
disclosure5@reddit
What on earth is this nonsense. If you have a mitigation how is it not published. I know someone's going to say "it's not tested" but it's not like Microsoft's published updates ever are.
shunny14@reddit
My theory is they were trying to patch a vulnerability and it caused this issue. Providing the mitigation publicly might open the vulnerability up again which would be quite sensitive for some domain controllers.
_nikkalkundhal_@reddit
this really makes sense. so till now there is no update or information from Microsoft i believe.. all the search for me lead to this reddit thread.
mrcomps@reddit
If Microsoft randomly released tested and untested updates, would anyone even be able to tell the difference?
IfBooTFitz@reddit
If they depreciate but don’t kill off the product and they only test in supported products and environments, are they really testing?
sevivi@reddit
If microsoft tests in the woods and no one can hear it, did they really test?
NaturalIdiocy@reddit
Unintended AD Forest joke
retardrabbit@reddit
I'll go ask the Pope Bear.
Pazuuuzu@reddit
Easy, the untested ones won't cause any issues since they even fail to install
Gabelvampir@reddit
I thought the updates release to the general public was an integral part of their testing process?
tastyratz@reddit
The customer scream test is much cheaper than a full QA team :)
Agitated_Blackberry@reddit
It’s probably a known issue rollback (kir) which selectively disables whatever is causing the negative behavior and is quicker for them to deploy than a hotfix https://learn.microsoft.com/en-us/troubleshoot/windows-server/installing-updates-features-roles/known-issue-rollback
disclosure5@reddit
So put the KIR on the webpage rather than having people fill in a form and waste a support engineer's time.
admlshake@reddit
I'd bet money they have some sort of CoPilot agent handling the majority of this.
Leather_Animal_1142@reddit
An internal team needs to juice the copilot usage metrics so everyone is funneled into it.
ErikTheEngineer@reddit
I think the main difference here is that Microsoft patches used to be quite solid and KIRs were pretty rare. Now that they don't QA things anymore, or are having Copilot do it, more of these are going to pop up so hopefully they'll make them more generally available.
There was an AskReddit thread about why the government of France is switching to Linux wherever it can, and honestly I would say quality would be a bigger driver than worrying about data sovereignty. When you released a boxed product, it had to work right or be patchable...Windows as a service can have its problems hidden behind an API in Azure.
whatsforsupa@reddit
They forgot to tell Copilot to "make no mistakes" on this patch :(
VexingRaven@reddit
This is so weird to me because when I talked to Aria Carley about KIR at MMS a few years ago, the impression I got was that KIR was meant to be automatically applied to all affected systems by Microsoft through a faster channel than Windows Update. But here we are a few years later and you have to get it from support?
Zoddo98@reddit
Depends. KIR can be enabled remotely through telemetry, but also individually using a GPO/Registry key.
Mr_ToDo@reddit
Could also be that there are use cases that would cause more issues. I doubt it be a collection of different fixes for different setups, but I suppose it could be.
Obviously it'd still be nice to at least have the option to grab the stuff. I'd kind of hope that it's only be a problem for suck it and see IT(Guess it could happen when they just pass the patch to someone without warning, but that's true here too)
Pilebsa@reddit
The mitigation is probably removal of the patch.
Long_Inflation_7524@reddit
Call and get bounced around between their sweatshop call centers for a few hours 🙄 Nice fix, Microsoft.
OutlandishnessSea854@reddit
ja, dit is echt een probleem dat je kan tegenkomen na de update. ik zou zeker aanraden om met microsoft support te praten voor een oplossing. en als je het nog niet doet, vanrosmalenautomatisering.nl kan helpen met dit soort situaties, hun ondersteuning is best goed!
topher358@reddit
Good thing all my DCs are global catalog servers!
Kardinal@reddit
I have never understood a use case in which this is not the right configuration.
ErikTheEngineer@reddit
RODCs or Windows 2000-era bandwidth limitations. 128K leased lines were quite common and the AD replication algorithm is super chatty, so if you have a huge directory saving the overhead of a GC would have helped.
admiraljkb@reddit
Yeah. One GC per major site back in the olden days... Back when dinosaurs roamed the earth and 64k WAN links were considered OK, and 128K was good. 😆 Been there. Can't believe all the stuff we got working back then with so little. My current job still holds to the one GC per site, and have no clue why. Just that"that's the way it's supposed to be", and I can't talk then out of it. Not my department though, so c'est la vie.
Ron-Swanson-Mustache@reddit
I remember those days. I worked in 250,000 square foot electronics manufacturing plant plant with about 2,000 employees. We had 2 bonded T1s for everything and it was amazing to use the web at work.
But yeah, most tech was designed with the idea of limiting the need to use live data.
menace323@reddit
Read only DCs helped with physical security and reducing that risk, such as if physical disks were stolen or your couldn’t trust a hyper visor
But today we can usually just encrypt everything, so physically having the server or the disks isn’t help. Most hypervisors have options to protect a virtual DC and its state.
w1ten1te@reddit
RODC and GC are not mutually exclusive
menace323@reddit
True, I have a single level domain, not large forest.
dirmhirn@reddit
A RODC can have GC too or?
zero0n3@reddit
Literally got of a call with a MS engineer recently (large multi forests; with over 1000 DCs) and this is basically their recommendation these days.
Zero reason in 2026 to ever bother with the headaches a poorly or incorrectly deployed RODC.
loupgarou21@reddit
I do have a vendor pushing us to roll out an RODC. The scope of work states they'll setup SAML, but apparently they're running into issues with getting their software to work with SAML, and want us to use LDAP instead, and want us to roll an RODC specifically for them to use LDAP against it.
We have declined their request
ocdtrekkie@reddit
"Just don't bother with MFA, it's fine."
SAML or refund, IMHO.
Turbulent-Boat-1835@reddit
Hmm we think we have a use case for a RODC, we have limited traffic from a webserver that has to be domain joined to only that RODC, is this bad design?
Kuipyr@reddit
A DMZ Forest would be better, RODCs are only for physical security. Really you shouldn’t have any application webservers requiring AD anyways.
Turbulent-Boat-1835@reddit
I will look into DMZ forest instead thank you, we got into this idea from this article:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd728035(v=ws.10)?redirectedfrom=MSDN
The vendor requires it to be domain joined unfortunately, business critical software that we can't veto
Kuipyr@reddit
I feel your pain, I’ve been stopped from moving all client machines to Entra only due to a desktop application requiring machine auth. If you have any pull with the vendor I would try to get them to use SAML instead.
topher358@reddit
I mean their own official SOP says to make every DC a global catalog server in a single domain forest which covers most environments outside of the huge ones…
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/planning-global-catalog-server-placement
disclosure5@reddit
It used to be that the recommendation was all the Operations Masters, or FSMO Roles as we called them, went on the one server which was not a GC.
Kaligraphic@reddit
That's only the Infrastructure Master, because it handles cross-domain references, and only if there are some DCs that are not GCs. Also, that role only matters in multi-domain environments, so if you only have one domain in your environment, the Infrastructure Master does SFA anyway. Just make all DCs GCs as well. It's not worth the hassle to get fancy here.
Ron-Swanson-Mustache@reddit
I'm currently running multiple domains (thanks to needing to run old ERP software from a company we bough) and I still run Infrastructure Master on a GC.
RobieWan@reddit
Same here!!
Master-IT-All@reddit
That was my thinking too.
Darkk_Knight@reddit
Thanks for the heads up. I'll make sure I don't run the updates on my three DCs running 2019 just yet. Hopefully Microsoft pulled the updates.
moffetts9001@reddit
Are your three DCs not global catalog servers and do you use PAM?
Darkk_Knight@reddit
The biggest hiccup is if you use PAM. I don't use it so it *shouldn't* have an impact but given so many screw ups with Microsoft lately I'll wait a bit before applying the updates.
Fabulous_Cow_4714@reddit
Isn’t also not just any PAM, but limited specifically to MIM PAM?
In that case, the issue should be very rare.
moffetts9001@reddit
Not a bad idea. MS has squeaked out some real winners lately.
sfc_scannow@reddit
Jokes on them, all my DC's are still on 2012
MairusuPawa@reddit
Joke's on them, absolutely no one in my company uses any Microsoft stack.
arsonislegal@reddit
If it ain't broke!
Bad_Idea_Hat@reddit
...don't break it worse?
TwoKayYeti@reddit
Hear hear
DeadStockWalking@reddit
Dude, you left off REALLY important information.
"in environments with multiple domains in the forest that use Privileged Access Management"
AspiringTechGuru@reddit (OP)
I copy pasted the published message, the original one did not include that part. They seemed to have narrowed down the issue further, which is good
Layer_3@reddit
Microslop!
narcissisadmin@reddit
Yikes.
Fallingdamage@reddit
Microsoft just keep reaffirming why I have updates set to apply 30 days late. Unless I manually push an update to our server, they will not apply any monthly CU's until the following month. Always safe to hang back a month and wait for the rest of the community to beta test updates for us.
Method hasnt let us down in 10 years.
badassitguy@reddit
Where do you get on this mailing list?
AspiringTechGuru@reddit (OP)
I actually forgot where I configured the notifications, but I’m 90% sure it’s under the health section in the Microsoft Admin Center. Tomorrow I can check exactly where they are if it’s not there
MapleJacko@reddit
I think it's this? - Windows release health - Microsoft 365 admin center
AspiringTechGuru@reddit (OP)
Yes, that's exactly it! Also the link to open the preferences directly: Windows release health preferences. For windows clients you can expect to see issues from printing to bitlocker screens activating randomly
tagging everyone who asked: u/badassitguy u/iamtherufus u/iamLisppy u/xplorerex u/Fluffy_Guard8157 u/absoluteczech u/peraving
peraving@reddit
Same… would appreciate knowing
iamLisppy@reddit
Commenting to know myself!
xplorerex@reddit
Same
Fluffy_Guard8157@reddit
Same
iamtherufus@reddit
Thanks for this appreciate it
absoluteczech@reddit
Following
Tatzlord@reddit
M365 Admin Center => Windows release health => Preferences
xxdcmast@reddit
The non global catalog dc part makes this non-applicable to 99% of environments. Pretty much everyone deploys every DC as a GC.
But still wtf Microsoft.
nofate301@reddit
71 is from Euphoria, I believe
xplorerex@reddit
We didnt have any of these issues on any of our DCs, good to know though.
kerubi@reddit
I’m sure I have never touched a production non-GC-DC. Maybe some DC in a recovery situation.
CallusC4@reddit
You find the official information about the KIR here
Windows Server 2022 known issues and notifications | Microsoft Learn
New-Alfalfa-2989@reddit
jfc can we have one CU that works properly for once?
scriptmonkey420@reddit
I am so glad I don't have to directly deal with MS updates anymore.