Microsoft Addresses Issues with Windows Server 2025 Domain Controllers Following April 2026 Update
Microsoft has confirmed a significant known issue impacting Windows Server 2025 domain controllers following the deployment of the April 2026 cumulative update, known as KB5082063, which was released on April 14, 2026. Administrators have reported that affected domain controllers are stuck in a cycle of repeated restarts. Additionally, a separate, related issue has surfaced, leading to BitLocker recovery prompts on enterprise-managed systems post-update.
Reboot Loop Dilemma
The April 2026 Patch Tuesday update, KB5082063, is part of Microsoft’s routine monthly security release. This particular update includes critical fixes for Kerberos authentication, Secure Boot certificate handling, Remote Desktop phishing protections, and hardening for Windows Deployment Services, all in response to the vulnerability known as CVE-2026-0386. However, shortly after the update was installed, system administrators began observing that domain controllers were entering endless reboot loops.
In response, Microsoft issued a service alert acknowledging the problem and specified that the affected group is “limited, not universal.” However, the details surrounding this issue have raised concerns among IT departments, particularly given that error code 0x800F0983 has been reported by several servers, preventing the successful application of KB5082063.
Currently, Microsoft is engaged in monitoring diagnostic data to ascertain the underlying cause of these problems but has yet to provide a comprehensive engineering explanation.
BitLocker Recovery Complications
The update has also resulted in secondary problems with BitLocker, where recovery prompts appear on systems that meet specific criteria. This condition arises in environments where BitLocker is activated on the operating system drive, and the Trusted Platform Module (TPM) validation policy includes PCR7. Furthermore, if the Secure Boot State shows that PCR7 Binding is reported as “Not Possible” in the system information, users will encounter these BitLocker prompts.
Microsoft has emphasized that this complication is primarily confined to enterprise IT-managed environments, posing a low risk to consumer devices. Typically, users must enter recovery keys only once if the policy configuration remains unchanged. However, this situation does impose a serious operational risk for remotely managed servers, particularly in "lights-out" environments where access to recovery keys has not been pre-staged.
The issues related to the reboot loop and BitLocker impacts all editions of Windows Server 2025 running on OS Build 26100.32690. Microsoft has officially acknowledged the domain controller restart loop as a known issue in the KB5082063 release documentation. Additionally, it has also noted limitations regarding WSUS not displaying synchronization error details; these limitations were implemented after KB5070881 to address a separate RCE vulnerability.
Recommended Protocols for Administrators
In light of the challenges posed by this update, Microsoft is advising security teams and server administrators to take proactive measures. Among the recommended actions are:
-
Pause Broad Rollout: It is prudent to halt the widespread deployment of this update across production Windows Server 2025 systems if multiple failures are being observed.
-
Collect BitLocker Recovery Keys: Administrators should ensure they have collected the necessary BitLocker recovery keys before attempting further reboots on any encrypted systems.
-
Conduct Event Viewer Checks: Utilizing the Event Viewer to examine the logs under
WindowsUpdateClient > Operationalcan yield exact failure codes and timestamps, which are vital for troubleshooting. -
Run DISM Repair: If there is a suspicion of component store corruption, running DISM commands alongside system file checker commands such as
DISM /Online /Cleanup-Image /RestoreHealthandsfc /scannowcould be necessary. - Avoid Multiple Install Attempts: Administrators are advised against making repeated install attempts across the production environment without first triaging a representative system.
As of April 17, 2026, Microsoft has not issued any out-of-band fix for the reboot loop, but the company continues to monitor diagnostic telemetry and has committed to providing further updates through the Windows Release Health Dashboard and official support channels.
Organizations that rely on Windows Server 2025 for critical business operations are urged to postpone any non-urgent patching until Microsoft offers a confirmed resolution pathway. Given the nature of these complex issues, administrators must remain vigilant and prepared to implement recommended measures to mitigate any operational risks posed by the update.