After installing KB5082063, non-Global Catalog domain controllers running Privileged Access Management reboot in a loop. LSASS crashes early in startup, Windows restarts, and authentication across the forest starts failing. Microsoft confirmed the issue on the Windows release health dashboard and is investigating.
Affected builds span Windows Server 2016, 2019, 2022, 23H2, and 2025. The common factor is a non-GC domain controller in an environment that uses PAM bastion forests or shadow principals.
Triage: Is This Your Issue?
Check the System event log on the crashing DC:
Get-WinEvent -LogName System -MaxEvents 50 |
Where-Object { $_.Id -in 6008,1074,7031 } |
Format-Table TimeCreated, Id, Message -Wrap
Then check Application for LSASS crashes:
Get-WinEvent -LogName Application -MaxEvents 50 |
Where-Object { $_.ProviderName -eq "Application Error" -and $_.Message -match "lsass" } |
Format-Table TimeCreated, Id, Message -Wrap
If you see repeated LSASS faults followed by unexpected shutdowns, and the host is a non-GC DC with PAM enabled, you are hitting this bug.
Mitigation 1: Enable the Global Catalog
The fastest stabilizer is to make the affected DC a Global Catalog. GC DCs do not crash under this bug:
Set-ADObject -Identity (Get-ADDomainController -Identity $env:COMPUTERNAME).NTDSSettingsObjectDN `
-Replace @{options=1}
It can take several minutes for the GC promotion to complete. Monitor replication:
repadmin /showrepl
This is a design change, so coordinate with whoever owns your AD topology before flipping it in production.
Mitigation 2: Uninstall KB5082063
If you cannot change GC placement, remove the update from the affected DC:
wusa.exe /uninstall /kb:5082063 /quiet /norestart
Reboot, then block the update via WSUS, Intune, or a local Group Policy until Microsoft ships a fix. To pause via the local registry:
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" `
-Name "NoAutoUpdate" -Value 1 -PropertyType DWORD -Force
Mitigation 3: Shift Authentication Traffic
If you have multiple DCs in the site, drain traffic off the crashing host while you work the fix. Lower its DNS weight and priority so clients prefer healthy DCs:
Set-DnsServerResourceRecord -ZoneName "_msdcs.yourdomain.com" `
-OldInputObject $old -NewInputObject $new
Or temporarily stop advertising the DC's SRV records:
dcdiag /test:advertising /v
This does not fix the crash, but it keeps clients from hitting a loop while Microsoft ships a patch.
Verify
After mitigation, watch for clean LSASS startup:
Get-WinEvent -LogName System -MaxEvents 20 |
Where-Object Id -eq 6005 |
Select-Object TimeCreated, Message
Expected output: an Event 6005 for the Event Log service starting, followed by no LSASS crashes.
Confirm the DC is servicing requests again:
dcdiag /test:connectivity /test:services
All tests should report passed.
Related Posts
- Fix AD Replication Error 8606 - Recover replication after a DC outage
- Fix Domain Trust Relationship in PowerShell - Repair broken trust without rejoining
- Find the Source of an Account Lockout - Trace lockout storms after authentication chaos
Running a PAM bastion forest and need a second set of eyes on your patch ring? Contact Rain City Techworks.