Home/KB Catalog/KB5091575

KB5091575: Overview with user sentiment and feedback

Last Updated April 21, 2026

Probability of successful installation and continued operation of the machine

0%
20%
40%
60%
80%
100%
75%
Known Issues

Overview

KB5091575 is an out-of-band cumulative security update released on April 19, 2026, for Windows Server 2022 (OS Build 20348.5024). This emergency patch was issued to address critical issues that emerged following the April 14, 2026 security update (KB5082142). The update is particularly significant due to its focus on resolving startup and authentication failures that affected domain controllers in multi-domain forest environments utilizing Privileged Access Management (PAM) capabilities.

The patch addresses a severe regression where domain controllers would experience repeated restart cycles and Local Security Authority Subsystem Service (LSASS) failures after installing the previous cumulative update. These failures prevented authentication and directory services from functioning properly, potentially rendering entire domains unavailable. The out-of-band nature of this release underscores the criticality of the issues being resolved and Microsoft's commitment to rapidly addressing widespread infrastructure problems.

Additionally, this update incorporates the latest servicing stack update (KB5082137, version 20348.5021) combined with the cumulative update, improving the overall reliability of the update installation process itself. The patch also addresses important considerations regarding Windows Secure Boot certificate expiration, which is scheduled to occur starting in June 2026 and requires proactive preparation across Windows Server infrastructure.

General Purpose

KB5091575 serves as a critical remediation patch designed to resolve severe operational issues introduced by the previous month's security update. The primary purpose of this update is to restore stability to Windows Server 2022 domain controllers, particularly those operating in complex multi-domain forest configurations with Privileged Access Management enabled. The patch specifically targets and fixes the startup failure condition where domain controllers would enter continuous restart loops and experience LSASS service failures, which prevented normal authentication and directory service operations.

Beyond the domain controller fixes, the update includes the latest servicing stack improvements that enhance the reliability and robustness of the Windows Update installation mechanism itself. This ensures that future updates can be deployed more reliably across server infrastructure. The patch also prepares systems for the upcoming Windows Secure Boot certificate expiration event scheduled for June 2026, providing administrators with necessary updates to maintain secure boot functionality across their server fleet. The cumulative nature of this update means it incorporates all previously released fixes while adding the new critical remediation components.

General Sentiment

The sentiment surrounding KB5091575 is predominantly positive within the IT professional community, as this patch addresses a genuinely critical regression that affected production infrastructure. The emergency out-of-band release demonstrates Microsoft's responsiveness to severe issues affecting domain controller stability. IT administrators who experienced the domain controller restart failures with KB5082142 view this update as essential and necessary for restoring their infrastructure to operational status.

However, some caution exists regarding the timing and complexity of deploying emergency patches in production environments. Administrators must carefully plan deployment to avoid potential service disruptions, particularly in environments with multiple domain controllers where staggered rollout is advisable. The known issue regarding Windows Server Update Services (WSUS) error reporting represents a trade-off made by Microsoft to address a remote code execution vulnerability, which some administrators may find frustrating when troubleshooting update deployment issues. Despite these considerations, the consensus is that the critical nature of the domain controller fixes outweighs the temporary WSUS reporting limitation, making this patch a necessary deployment for affected organizations.

Known Issues

  • Domain controller startup failures (FIXED): Previous update (KB5082142) caused domain controllers with multi-domain forests using Privileged Access Management to experience startup issues, LSASS service failures, repeated restarts, and authentication/directory service unavailability. This patch resolves this critical issue.
  • WSUS error detail reporting limitation: After installing KB5070884 or later updates, Windows Server Update Services does not display synchronization error details in error reporting. This functionality was temporarily removed to address Remote Code Execution Vulnerability CVE-2025-59287.
  • Servicing stack update cannot be removed: The servicing stack update (KB5082137) included in this combined package cannot be removed from the system after installation, only the cumulative update portion can be removed if necessary.

Disclaimer: We take measures to ensure that AI-generated content is of the highest possible quality, but we cannot guarantee its accuracy and recommend that users do their own independent research. Generated on 2026-04-21 12:58 AM

Back to Knowledge Base Catalog