Microsoft has confirmed a critical known issue affecting Windows Server 2025 domain controllers following the deployment of the April 2026 Patch Tuesday cumulative update, KB5082063, where affected servers are entering repeated reboot loops after installation.
Released on April 14, 2026, the cumulative update KB5082063 (OS Build 26100.32690) is the standard monthly security update for Windows Server 2025, bundling the latest security fixes along with non-security improvements from March’s optional preview release.
However, Microsoft’s official release changelog updated on April 16, 2026, now includes a known issue noting that “Domain controllers might restart repeatedly after installing this update,” flagging the reboot loop problem for enterprise IT administrators.
The issue is compounded by a secondary problem: a subset of Windows Server 2025 systems is also failing to install the update entirely, throwing error code 0x800F0983 during deployment.
Microsoft acknowledged it is actively monitoring diagnostic telemetry tied to the recurring install failure and confirmed that “a limited number of affected servers might experience an installation failure accompanied by the error code 800F0983”.
Sysadmin reports on Reddit’s Patch Tuesday megathread corroborate Microsoft’s warning, with one administrator noting a domain controller became “stuck in a reboot loop” following KB5082063 installation.
Booting into Directory Services Restore Mode (DSRM) was reported as functional, and uninstalling the update allowed the affected domain controller to reboot normally.
This points squarely at the update as the root cause, particularly for non-Global Catalog (non-GC) domain controllers in complex Active Directory environments.
BitLocker Recovery Triggered
Separately, Microsoft warned that devices with unrecommended BitLocker Group Policy configurations may be forced to enter BitLocker recovery mode after installing KB5082063, a known issue added to the changelog on April 14, 2026.
While this is unlikely to affect home users, enterprise-managed servers with specific BitLocker policies could face access disruptions requiring manual recovery key entry.
What’s Fixed in KB5082063
Despite the issues, the update delivers meaningful security and reliability improvements across several components:
- Kerberos protocol — Changes the default
DefaultDomainSupportedEncTypesvalue to AES-SHA1 for accounts lacking explicit AD encryption type definitions, tied to CVE-2026-20833 - Secure Boot — Adds high-confidence device targeting data for phased rollout of new Secure Boot certificates, reducing BitLocker recovery risk during transitions
- Remote Desktop — Strengthens phishing protection against malicious .rdp files by displaying all requested connection settings before connecting
- Windows Deployment Services (WDS) — Disables the “Hands-Free Deployment” feature by default, hardening against CVE-2026-0386
- SMB over QUIC — Improves compression reliability, reducing timeouts for hybrid and cloud-connected environments
- PowerShell — Fixes the
Set-GPPrefRegistryValuecmdlet to correctly preserve all imported registry values
Microsoft has not yet published a formal workaround or fix timeline for the reboot loop issue, and an investigation into the 0x800F0983 install failure is ongoing.
IT administrators are advised to monitor the Windows Server 2025 release health dashboard for real-time updates, pause KB5082063 deployment on domain controllers until a resolution is available, and maintain offline BitLocker recovery keys ahead of patching.
The servicing stack update KB5082062 (Build 26100.32692) is bundled alongside this release to ensure update infrastructure reliability.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
