KB5091573: Overview with user sentiment and feedback

Overview

KB5091573 is an out-of-band security update released on April 19, 2026, for Windows Server 2019 and Windows 10 Enterprise LTSC 2019 (OS Build 17763.8647). This emergency patch addresses a critical regression introduced in the previous April 14, 2026 security update (KB5082123) that caused severe stability issues on domain controllers. The update is particularly important for organizations running multi-domain forest environments with Privileged Access Management (PAM) implementations.

Beyond the domain controller fix, this update includes a combined Servicing Stack Update (SSU KB5082118) designed to improve the overall reliability of the Windows update process itself. The patch also addresses the upcoming Windows Secure Boot certificate expiration issue, which poses a significant threat to system boot security starting in June 2026. Organizations must plan certificate updates in advance to prevent widespread boot failures across their infrastructure.

General Purpose

This out-of-band update serves as a critical remediation for a regression introduced in KB5082123. The primary purpose is to resolve a severe issue affecting domain controllers in multi-domain forest environments using Privileged Access Management (PAM). The previous update caused Local Security Authority Subsystem Service (LSASS) failures, resulting in repeated system restarts, authentication failures, and directory service unavailability that rendered affected domains inaccessible. The patch restores stability to these critical infrastructure components. Additionally, the update includes an enhanced Servicing Stack Update that improves the reliability of future Windows update installations and includes updated certificate chain validation logic for Azure-hosted devices. The update also prepares systems for the impending Windows Secure Boot certificate expiration scheduled for June 2026, which could prevent secure boot on personal and business devices if not addressed proactively.

General Sentiment

The sentiment surrounding KB5091573 is cautiously positive given its emergency nature and critical purpose. This is a necessary remediation patch that fixes a serious regression affecting production domain controllers, making it essential for affected organizations. The fact that Microsoft released an out-of-band update demonstrates responsiveness to a significant infrastructure issue. However, the underlying cause—that the previous security update introduced such a critical regression—raises concerns about the testing rigor of KB5082123. Organizations that have not yet deployed KB5082123 may consider delaying that deployment pending further evaluation. The inclusion of Secure Boot certificate preparation is forward-thinking and prevents future disruptions. Some IT professionals may express frustration that this remediation was necessary at all, particularly for those who experienced domain unavailability. The requirement to have previously installed KB5005112 from August 2021 adds a dependency consideration for organizations with inconsistent patch histories. Overall, while this patch is necessary and should be deployed to affected systems, it represents a situation that ideally should not have occurred.

Known Issues

• No currently known issues reported with KB5091573 itself post-release
• Prior issue (now fixed): Domain controllers with multi-domain forests using Privileged Access Management (PAM) experienced startup failures and LSASS service crashes after installing KB5082123, causing repeated restarts and authentication service unavailability
• Prerequisite requirement: KB5005112 (August 10, 2021 SSU) must be installed before deploying this update
• Secure Boot certificate expiration beginning June 2026 requires advance planning and certificate updates to prevent boot failures

Disclaimer: We take measures to ensure that AI-generated content is of the highest possible quality, but we cannot guarantee its accuracy and recommend that users do their own independent research. Generated on 2026-04-20 12:50 AM

Back to Knowledge Base Catalog