Home/KB Catalog/KB5091575

KB5091575: Overview with user sentiment and feedback

Last Updated May 31, 2026

Probability of successful installation and continued operation of the machine

0%
20%
40%
60%
80%
100%
72%
Known Issues

Overview

KB5091575 is an out-of-band cumulative security update released on April 19, 2026, for Windows Server 2022 (OS Build 20348.5024). This emergency patch addresses critical issues that emerged following the April 14, 2026 security update (KB5082142), particularly affecting domain controller stability in multi-domain forest environments utilizing Privileged Access Management (PAM) functionality.

The update represents Microsoft's response to a significant regression where domain controllers experienced startup failures, with the Local Security Authority Subsystem Service (LSASS) becoming unresponsive and triggering repeated system restarts. These failures prevented authentication and directory services from functioning properly, potentially rendering entire domains unavailable. This out-of-band release demonstrates the severity of the underlying issue and Microsoft's commitment to rapid remediation of critical infrastructure vulnerabilities.

The patch is cumulative in nature and includes all fixes from the previous April 14 update along with additional corrections. It incorporates the latest servicing stack update (KB5082137, version 20348.5021) which enhances the reliability of the update installation process itself. The release includes important notifications regarding Windows Secure Boot certificate expiration scheduled for June 2026, which administrators should prepare for in advance.

General Purpose

This out-of-band update addresses a critical regression introduced in the April 2026 security updates that caused domain controller failures in specific configurations. The primary purpose is to restore stability to Windows Server 2022 domain controllers, particularly those operating in multi-domain forest environments with Privileged Access Management enabled. The update resolves the LSASS service unresponsiveness issue that was causing repeated restarts and preventing authentication services from functioning.

Beyond the domain controller fix, the update includes the combined servicing stack update which improves the overall reliability and robustness of the Windows update installation process. The patch also addresses display rendering issues with Remote Desktop security warnings in multi-monitor environments with different scaling settings, ensuring that critical security prompts display correctly and remain interactive. Additionally, the update maintains compatibility with Windows Secure Boot certificate requirements and prepares systems for the upcoming certificate expiration in June 2026.

General Sentiment

The sentiment surrounding KB5091575 is cautiously positive, as it represents Microsoft's swift action to remediate a serious regression that threatened infrastructure stability. The out-of-band release mechanism itself indicates the severity and urgency of the domain controller issues, which is appropriate given the potential for widespread service disruption. IT professionals generally view emergency patches addressing critical authentication failures favorably, as the alternative of leaving systems vulnerable to restart loops is untenable.

However, there are legitimate concerns about the patch's introduction of new known issues that require careful management. The BitLocker Group Policy configuration issue, while affecting only systems with specific and uncommon settings, nonetheless requires pre-installation auditing and potential remediation. The temporary removal of WSUS error reporting details, implemented to address a Remote Code Execution vulnerability, represents a trade-off between security and operational visibility that some administrators may find frustrating. The Remote Desktop display rendering issue, though addressed in a subsequent update, indicates that the patch itself introduced new problems requiring follow-up fixes. These considerations suggest that while the patch is necessary, deployment should be planned and tested rather than rushed, with particular attention to BitLocker configurations and multi-monitor Remote Desktop scenarios.

Known Issues

  • BitLocker Recovery Key Requirement: Systems with specific unrecommended BitLocker Group Policy configurations (PCR7 included in TPM validation profile) may require BitLocker recovery key entry on first restart after installation; only affects systems where ALL conditions are met including non-UEFI 2023-signed Boot Manager configuration; subsequent restarts will not trigger recovery screens if policy remains unchanged

  • WSUS Error Reporting Disabled: Windows Server Update Services no longer displays synchronization error details in error reporting; this functionality was temporarily removed to address CVE-2025-59287 Remote Code Execution vulnerability

  • Remote Desktop Warning Display Issues: Security warning dialogs for Remote Desktop (RDP) files may display incorrectly with overlapping text or hidden buttons on systems using multiple monitors with different display scaling settings (e.g., 100% and 125%); issue is addressed in subsequent update KB5087545

  • Windows Secure Boot Certificate Expiration: Secure Boot certificates expire starting June 2026; devices not updated in time may experience boot failures; preparation and advance certificate updates are recommended

Disclaimer: We take measures to ensure that AI-generated content is of the highest possible quality, but we cannot guarantee its accuracy and recommend that users do their own independent research. Generated on 2026-05-31 01:43 PM

Back to Knowledge Base Catalog