KB5091571: Overview with user sentiment and feedback

Overview

KB5091571 is an out-of-band cumulative update released on April 19, 2026, for Windows Server, version 23H2 (OS Build 25398.2276). This update was specifically released to address critical issues that emerged following the April 14, 2026 security update (KB5082060). The patch represents Microsoft's response to a significant problem affecting domain controller infrastructure in multi-domain forest environments, particularly those utilizing Privileged Access Management (PAM) features.

This out-of-band release demonstrates the importance of rapid response patching when critical infrastructure components are affected. The update combines both the latest servicing stack update (KB5086285) and cumulative updates into a single package, ensuring that systems receive both foundational and functional improvements simultaneously. The patch is cumulative in nature, meaning it includes all previously released updates for the version, providing a comprehensive solution for affected environments.

General Purpose

The primary purpose of KB5091571 is to resolve a critical issue introduced in the previous security update that caused domain controllers in multi-domain forest environments with Privileged Access Management to experience severe startup failures. The patch specifically addresses a condition where the Local Security Authority Subsystem Service (LSASS) would stop responding after installation and restart, leading to repeated system restarts that prevented authentication and directory services from functioning. This failure could render entire domains unavailable, making it a critical fix for enterprise environments. Additionally, the update includes quality improvements to the Windows servicing stack, enhancing the reliability and robustness of the update installation mechanism itself. The cumulative nature of this patch ensures that all previous security and quality updates are included, providing comprehensive protection and stability for Windows Server 23H2 deployments.

General Sentiment

The sentiment surrounding KB5091571 is mixed but leans toward cautious necessity. On the positive side, Microsoft's rapid response with an out-of-band update demonstrates commitment to addressing critical infrastructure issues affecting domain controllers. For organizations experiencing the LSASS failure described in the patch notes, this update is essential and represents a necessary correction. However, the very existence of this patch reflects a significant regression introduced by the previous update, which raises concerns about the quality assurance processes for critical security updates. The fact that a security update caused domain controller failures in multi-domain PAM environments suggests that testing coverage may have been insufficient for complex enterprise scenarios. Organizations that have not yet experienced the issue may be hesitant to install, fearing additional regressions, while those affected have no choice but to deploy it. The additional known issue regarding WSUS error reporting functionality being temporarily disabled to address a Remote Code Execution vulnerability adds another layer of complexity, though this appears to be a temporary measure rather than a permanent limitation.

Known Issues

• Domain Controller Startup Failures (Fixed): Previous update KB5082060 caused domain controllers with multi-domain forests using Privileged Access Management (PAM) to experience startup issues, with LSASS potentially stopping and causing repeated restarts that prevented authentication and directory services
• WSUS Error Details Not Displayed: After installing KB5070879 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details in error reporting; this functionality was temporarily removed to address Remote Code Execution Vulnerability CVE-2025-59287
• SSU Cannot Be Removed: The servicing stack update (SSU) component included in this combined package cannot be removed from the system after installation, only the LCU can be removed using DISM commands

Disclaimer: We take measures to ensure that AI-generated content is of the highest possible quality, but we cannot guarantee its accuracy and recommend that users do their own independent research. Generated on 2026-04-24 12:57 AM

Back to Knowledge Base Catalog