Microsoft has officially confirmed a critical known issue affecting Windows Server 2025 domain controllers following the deployment of the April 2026 Patch Tuesday cumulative update, KB5082063. Affected servers are entering repeated reboot loops after installation, creating severe disruption for enterprise environments that depend on Active Directory services for authentication, authorization, and resource access.
What Is Happening
The cumulative update KB5082063 (OS Build 26100.32690), released on April 14, 2026, is the standard monthly security update for Windows Server 2025. It bundles the latest security fixes alongside non-security improvements from March’s optional preview release. However, following deployment, a confirmed subset of Windows Server 2025 systems running as Active Directory Domain Controllers (DCs) are failing to complete the reboot cycle and instead entering continuous restart loops.
The issue is compounded by a secondary problem: some Windows Server 2025 systems are failing to install the update at all, generating error code 0x800F0983 during the update installation process. This dual failure mode — reboot loops on successful installs, installation failures on others — is creating significant operational headaches for IT and systems administrators.
BitLocker Recovery Mode Risk
Microsoft has also warned of a related issue affecting devices with non-standard BitLocker Group Policy configurations. These systems may be forced to enter BitLocker recovery mode after installing KB5082063. In environments where BitLocker recovery keys are not readily accessible or are not stored in an accessible location (such as Active Directory or Azure AD), this can render servers temporarily inaccessible — a potentially business-critical situation if it affects domain controllers or file servers.
IT administrators are strongly advised to ensure that offline BitLocker recovery keys are documented and accessible before applying the April 2026 update to any server, regardless of whether the server is a domain controller.
Affected Systems
The confirmed affected configuration is:
- Operating System: Windows Server 2025
- Role: Active Directory Domain Controller
- Update: KB5082063 (OS Build 26100.32690, April 2026 Patch Tuesday)
Microsoft has not yet confirmed whether the issue affects Windows Server 2025 systems in other roles (non-DC), but IT administrators are urged to exercise caution across all Server 2025 deployments until more information is available.
Recommended Workarounds
Microsoft has provided the following guidance while a permanent fix is developed:
- Pause deployment on domain controllers: Do not apply KB5082063 to any Windows Server 2025 domain controllers until Microsoft releases a resolution. Use Windows Update for Business, WSUS, or your preferred patch management solution to defer this update on DC systems.
- Boot into DSRM for recovery: If a domain controller has already entered a reboot loop, booting into Directory Services Restore Mode (DSRM) has been reported as functional and can serve as a recovery path.
- Uninstall the update: Uninstalling KB5082063 from affected systems has been confirmed to resolve the reboot loop and allow normal operation to resume. This can be done from DSRM or via Windows Recovery Environment (WinRE).
- Document BitLocker keys: Before applying any April 2026 patches, ensure all BitLocker recovery keys for server systems are accessible offline and documented in a secure location.
- Monitor the health dashboard: Microsoft is actively updating the Windows Server 2025 release health dashboard with real-time status on this issue. IT teams should monitor this dashboard closely.
Operational Impact
Domain controllers running Windows Server 2025 are typically core infrastructure components in enterprise Active Directory environments. A reboot loop on a DC can disrupt authentication for all domain-joined machines in the affected site, prevent Group Policy from being applied, interrupt LDAP and Kerberos services, and impact any service that relies on AD-integrated authentication. Organizations with fewer DCs or single-DC environments are at particular risk of complete authentication outages.
The Patching Dilemma
This incident highlights an increasingly common tension in enterprise security: the pressure to patch quickly to address actively exploited vulnerabilities (such as this month’s SharePoint zero-day CVE-2026-32201) versus the operational risk of deploying patches that introduce critical stability issues. Security teams should coordinate closely with IT operations and change management to develop a risk-balanced response — prioritizing the fix for SharePoint on application servers while holding off on domain controller patches until Microsoft issues a corrected update.
Conclusion
Microsoft’s April 2026 cumulative update for Windows Server 2025 has introduced a serious known issue that can render domain controllers unusable. Organizations should immediately pause deployment of KB5082063 on all domain controller systems, ensure recovery paths (DSRM access, BitLocker keys) are prepared, and monitor Microsoft’s official health dashboard for the forthcoming fix. The situation underscores the importance of staged patching strategies and comprehensive rollback planning in enterprise environments.