KB5091572: Overview with user sentiment and feedback

Overview

KB5091572 is an out-of-band security update released on April 19, 2026, for Windows Server 2016 and Windows 10 version 1607 (OS Build 14393.9062). This patch addresses a critical issue affecting domain controllers in multi-domain forest environments that utilize Privileged Access Management (PAM) functionality. The update was released outside the normal monthly patch cycle due to the severity of the issue it resolves.

This out-of-band update is particularly significant because it resolves a regression introduced in the April 14, 2026 security update (KB5082198). The patch specifically targets infrastructure stability concerns that could render domain controllers unavailable and prevent authentication services from functioning properly. Additionally, this update addresses the broader Windows Secure Boot certificate expiration issue that affects most Windows devices, with certificates set to expire starting in June 2026.

General Purpose

KB5091572 serves as a critical remediation patch that resolves a significant domain controller startup failure that was introduced in the previous month's security update. The primary purpose of this patch is to fix issues where domain controllers in multi-domain forests implementing Privileged Access Management would experience startup failures after installing KB5082198. Specifically, the Local Security Authority Subsystem Service (LSASS) could stop responding, causing repeated system restarts and preventing authentication and directory services from functioning, which could render entire domains unavailable. Beyond the domain controller fix, this update also addresses the impending Windows Secure Boot certificate expiration issue that poses a potential threat to system boot capabilities for both personal and business devices starting in June 2026. The patch includes necessary certificate updates and improvements to ensure continued secure boot functionality across the Windows ecosystem.

General Sentiment

The sentiment surrounding KB5091572 is mixed, though the patch addresses critical infrastructure concerns. On the positive side, this out-of-band release demonstrates Microsoft's responsiveness to serious regressions affecting enterprise environments, particularly domain controllers which are mission-critical systems. The rapid deployment of a fix for the LSASS issue and the proactive approach to the Secure Boot certificate expiration shows commitment to system stability. However, the very existence of this patch highlights a concerning pattern: a regression was introduced in the previous month's update that required an emergency fix, which may raise concerns about the quality assurance processes for security updates. Organizations running domain controllers with PAM implementations would have experienced significant disruption between April 14 and April 19, 2026. The requirement to install a Servicing Stack Update (KB5082089) before applying this patch adds complexity to the deployment process. While the patch itself appears necessary and well-intentioned, the circumstances surrounding its release may give some administrators pause regarding the stability of the April 2026 update cycle.

Known Issues

• The known_issue_summary provided indicates no currently known issues with KB5091572 itself; however, the patch was created specifically to resolve a known issue introduced in KB5082198 where domain controllers with multi-domain forests using Privileged Access Management experienced startup failures and LSASS service interruptions
• Installation requires the latest Servicing Stack Update (KB5082089) to be installed first; failure to do so may prevent the patch from being offered or installed
• This out-of-band update is only available through the Microsoft Update Catalog and is not distributed through standard Windows Update channels for all systems

Disclaimer: We take measures to ensure that AI-generated content is of the highest possible quality, but we cannot guarantee its accuracy and recommend that users do their own independent research. Generated on 2026-04-20 12:47 AM

Back to Knowledge Base Catalog