Home/KB Catalog/KB5091571

KB5091571: Overview with user sentiment and feedback

Last Updated May 29, 2026

Probability of successful installation and continued operation of the machine

0%
20%
40%
60%
80%
100%
75%
Known Issues

Overview

KB5091571 is an out-of-band cumulative security update released on April 19, 2026, for Windows Server, version 23H2 (OS Build 25398.2276). This emergency patch was issued to address critical issues that emerged following the April 14, 2026 security update (KB5082060). The update represents Microsoft's response to a significant stability issue affecting domain controller infrastructure in multi-domain forest environments, particularly those utilizing Privileged Access Management (PAM) capabilities.

As an out-of-band release, this update falls outside the standard monthly patch cycle, indicating the severity and urgency of the issues being addressed. The patch includes a combined servicing stack update (KB5086285 - version 25398.2273) alongside the cumulative update, ensuring both the update delivery mechanism and the operating system receive necessary improvements. Organizations running Windows Server 23H2 in production environments, especially those with complex Active Directory deployments, should treat this update as a priority remediation effort.

General Purpose

This out-of-band update addresses a critical regression introduced in the previous April security update that caused domain controller failures in specific configurations. The primary purpose of KB5091571 is to resolve startup issues affecting domain controllers in multi-domain forests configured with Privileged Access Management (PAM). The previous update caused scenarios where the Local Security Authority Subsystem Service (LSASS) would stop responding, resulting in repeated system restarts that prevented authentication services and directory services from functioning, effectively rendering affected domains unavailable.

Beyond the domain controller fix, the update includes a servicing stack improvement (KB5086285) that enhances the robustness and reliability of the Windows update installation mechanism itself. Additionally, the patch addresses a Remote Code Execution vulnerability (CVE-2025-59287) related to Windows Server Update Services (WSUS) error reporting functionality, which has been temporarily modified to prevent exploitation. The cumulative nature of this update means it incorporates all previous fixes from earlier updates, ensuring comprehensive protection for systems that may have missed prior patches.

General Sentiment

The sentiment surrounding KB5091571 is necessarily cautious due to its nature as an emergency out-of-band release addressing a regression from the immediately preceding update. While the patch is essential for organizations experiencing domain controller failures, the very fact that it was needed highlights a quality assurance concern with the April 14 update. However, Microsoft's swift response to identify and remediate the issue demonstrates appropriate incident response procedures.

For organizations not affected by the specific domain controller PAM issue, the update presents a more routine maintenance scenario. The inclusion of security fixes, particularly the CVE-2025-59287 remediation, supports installation from a security posture perspective. The known issue regarding WSUS error reporting represents a trade-off where functionality has been deliberately reduced to address a critical vulnerability, which is a reasonable security-first approach. IT professionals should view this update as necessary but should also implement staged deployment strategies to validate compatibility within their specific environments before broad rollout, given the recent history of issues with the preceding patch.

Known Issues

  • Domain controller startup failures (now fixed): Multi-domain forest domain controllers using Privileged Access Management (PAM) experienced startup issues after the previous update, with Local Security Authority Subsystem Service (LSASS) stopping and causing repeated restarts that prevented authentication and directory services from functioning
  • WSUS error reporting limitation: Windows Server Update Services does not display synchronization error details in error reporting after installing KB5070879 or later updates; this functionality has been temporarily removed to address the Remote Code Execution vulnerability CVE-2025-59287
  • Limited uninstall capability: The Servicing Stack Update (SSU) component cannot be removed from the system after installation; only the Cumulative Update (LCU) can be removed using DISM commands

Disclaimer: We take measures to ensure that AI-generated content is of the highest possible quality, but we cannot guarantee its accuracy and recommend that users do their own independent research. Generated on 2026-05-29 07:15 PM

Back to Knowledge Base Catalog