Microsoft has confirmed a critical known issue affecting Windows Server 2025 domain controllers after deploying the April 2026 cumulative update KB5082063 (OS Build 26100.32690), released on April 14, 2026.
Affected domain controllers are entering repeated restart loops, and a separate but related issue is triggering BitLocker recovery prompts on enterprise-managed systems post-update.
Reboot Loop Issue on Windows Servers
The April 2026 Patch Tuesday update, KB5082063, is part of Microsoft’s monthly baseline security release cycle and delivers fixes for Kerberos authentication, Secure Boot certificate handling, Remote Desktop phishing protections, and Windows Deployment Services hardening related to CVE-2026-0386.
However, shortly after deployment on April 14–15, 2026, system administrators began reporting that domain controllers were restarting repeatedly following installation.
Microsoft has since issued a service alert acknowledging the behavior and describing the affected population as “limited, not universal.”
In addition to the reboot loop, a number of servers are also returning install failure error code 0x800F0983, preventing KB5082063 from applying successfully.
Microsoft stated it is actively monitoring diagnostic data and investigating the root cause, but has not yet published a final engineering explanation.
A secondary complication involves BitLocker recovery prompts appearing after the update on systems where:
- BitLocker is enabled on the OS drive
- TPM platform-validation policy includes PCR7
- The Secure Boot State PCR7 Binding is reported as “Not Possible” in msinfo32
Microsoft clarified that this condition is unlikely to affect consumer devices and is primarily confined to enterprise IT-managed environments. Recovery keys typically need to be entered only once if the policy configuration remains unchanged, but the issue poses a serious operational risk for lights-out or remotely managed servers where recovery key access has not been pre-staged.
The issue applies to Windows Server 2025 across all editions running OS Build 26100.32690. The domain controller restart loop is listed as a known issue directly in Microsoft’s KB5082063 release documentation, alongside WSUS not displaying synchronization error details, a limitation introduced after KB5070881 to address RCE vulnerability CVE-2025-59287.
Recommended Actions for Administrators
Security teams and server administrators are advised to take the following steps:
- Pause broad rollout across production Windows Server 2025 systems if multiple failures are observed
- Collect BitLocker recovery keys before attempting any further reboots on encrypted systems
- Check Event Viewer under
WindowsUpdateClient > Operationalfor exact failure codes and timestamps - Run DISM repair (
DISM /Online /Cleanup-Image /RestoreHealthandsfc /scannow) if component store corruption is suspected - Avoid repeated install retries across the production fleet without first triaging a single representative system
As of April 17, 2026, Microsoft has not released an out-of-band (OOB) fix for the reboot loop issue. The company continues to monitor diagnostic telemetry and has promised further updates through the Windows Release Health Dashboard and official support channels.
Organizations running Windows Server 2025 in critical roles are encouraged to defer non-urgent patching until Microsoft provides a confirmed resolution path.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
