Microsoft Patch Tuesday Crashes LSASS Process, Causes Infinite Reboot Loops

🛑 EMERGENCY ALERT: STOP the April Windows Server Updates!** If you manage Domain Controllers, take **KB5082063** off your deployment list immediately. Microsoft has officially confirmed that the April 2026 "Patch Tuesday" update is sending Domain Controllers into a terminal reboot loop. The culprit is an LSASS crash that triggers every time the server tries to process authentication requests during startup. **The Breakdown:** 💥 **Target:** Windows Server 2016 through 2025. 💥 **Trigger:** Specifically hits non-GC Domain Controllers and those using PAM. 💥 **Side Effect:** Also reports of BitLocker recovery prompts and install error 0x800F0983. **The Fix:** Microsoft has just released emergency Out-of-Band (OOB) updates: **KB5091157** / **KB5091575**. If you’re already stuck in a loop, you’ll need to boot into WinRE and use DISM to manually roll back the original patch before applying the new fix. Stay safe, check your backups twice, and maybe hold off on that Friday afternoon deploy! ☕🛠️ Help spread the word and share this post! 👉 #ActiveDirectory #WindowsServer #SysAdmin #Microsoft #ITInfrastructure #CyberSecurity #PatchTuesday

Heads up for everyone managing Windows Servers! Microsoft just rolled out emergency updates to fix some tricky issues that came up after the April patches, including servers getting stuck in restart loops. Keeping your systems running smoothly while staying secure can be a juggling act, right? If you're struggling with complex updates or need expert advice to keep your infrastructure stable, Kingdom Cybersecurity's Consulting Hours are here to help you navigate these challenges. Let's keep your operations seamless! #WindowsServer #MicrosoftUpdates #CybersecurityNews #TechTroubles #ITSupport #KingdomCybersecurity #ConsultingHours Source: https://lnkd.in/eFniMrMZ

Microsoft just pushed an emergency patch for Windows Server 2025. This one touches Domain Controllers and can break things like authentication and domain joins if you get it wrong. And it came from April's Patch Tuesday. This is the reality of patching. Sometimes the fix is what causes the problem. I've seen it happen to DCs in the past You either move fast and risk knocking over AD, or you slow down and carry exposure. There’s no clean answer, just trade offs. If this landed with me, I’d be checking impact first, testing it properly, and making sure I’ve got a rollback I trust before it goes anywhere near production. If your Domain Controllers break, everything follows. This is the bit that never makes it into the slide decks. #WindowsServer #CyberSecurity #ITOperations #CIOAustralia https://lnkd.in/ga-GDCzD

One of the first Windows Server concepts that finally clicked for me was the difference between Roles and Features. At first, they sounded almost identical. But they serve very different purposes. A Role is the primary job you want the server to perform. Examples: • Active Directory Domain Services • DNS Server • DHCP Server • Web Server (IIS) • Hyper-V When you install a role, the server takes on a core business function. For example, installing Active Directory Domain Services turns the server into a Domain Controller that manages authentication, users, and access across the organization. A Feature adds supporting functionality. Examples: • Group Policy Management • BitLocker • Windows Backup • .NET Framework • Failover Clustering Features don’t define what the server is. They enhance what the server can do. The simplest way I remember it: 👉 Role = Primary responsibility 👉 Feature = Supporting capability That small distinction helped me better understand how enterprise servers are designed. What Windows Server concept made things click for you? #WindowsServer #ActiveDirectory #SystemAdministration #ITInfrastructure #LearningInPublic #CyberSecurity #ITSupport #CloudComputing

Microsoft has released fixes for 138 security flaws across Windows, Office, Azure, and Teams — including two in Windows itself that let attackers run code on your computer or company servers without needing a password. None are being actively exploited yet, but 30 are rated Critical. Microsoft also warns that a security certificate built into Windows since 2011 expires on 26 June 2026 — devices that miss the update before that date face serious boot-level failures. Open Windows Update now and install everything available. 🔥 #CyberNewsLive https://lnkd.in/g4SXDVk8

Microsoft has confirmed that the April 2026 security updates are causing failures in third-party backup applications using the psmounterex.sys driver. As BleepinComputer reported last week, this issue affects software using VSS (Volume Shadow Copy Service) snapshots and causes failures due to a VSS service timeout. Software impacted by this includes, but is not limited to, products from Macrium (Reflect), Acronis (Cyber Protect Cloud), UrBackup Server, and NinjaOne Backup running on Windows 11, Windows Server, and Windows 10 devices. #staycurious #stayinformed #noble1 #tomshaw TOM SHAW

🔒 How to Enable SSL/TLS 1.2 on Windows Server: Full Configuration Guide 🧰 Windows Server deployments that have not explicitly enabled TLS 1.2 and disabled legacy protocols like SSLv3, TLS 1.0, and TLS 1.1 are exposed to protocol downgrade attacks, PCI DSS compliance failures, and the growing list of clients that refuse to connect over deprecated protocols. Enable TLS 1.2 and harden your Windows Server protocol configuration: ✅ Enable TLS 1.2 in the Windows registry under SCHANNEL protocols key ✅ Explicitly disable SSLv3, TLS 1.0, and TLS 1.1 to prevent downgrade attacks ✅ Update .NET Framework system-wide defaults to use TLS 1.2 connections ✅ Configure strong cipher suite order in Windows Group Policy or registry ✅ Test with SSL Labs or PowerShell to confirm TLS 1.2 is enforced correctly The registry changes for SCHANNEL configuration are precise - an incorrectly formatted registry key can silently fail to apply, leaving the server still accepting deprecated protocols. This guide covers the exact registry paths, required DWORD values, and verification steps needed to confirm the configuration is correctly applied. For environments running IIS, SQL Server, or other SCHANNEL-dependent services, TLS 1.2 enforcement must be tested end-to-end across every service after applying these changes. Enable TLS 1.2 on Windows Server with this complete step-by-step configuration: ➡️ https://lnkd.in/gVjCCpPa #TLS12 #WindowsServer #SSLConfig #ServerSecurity #SCHANNEL #SSLInsights #WindowsSecurity #IIS #TLSSetup #WebSecurity #WindowsAdmin #ServerHardening #TLSConfiguration #SSLCertificate #CyberSecurity #ComplianceSecurity #PCI #WindowsHardening

🚨 Breaking News for IT Professionals! 🚨 Microsoft has just rolled out out-of-band (OOB) updates to tackle issues plaguing Windows Server systems post-April 2026 security updates. It’s a reminder that even the giants can stumble. This incident highlights a critical reality in our industry: software updates, while essential, can sometimes introduce new challenges. Consider this trend: - The tech landscape continues to grow in complexity. As cybersecurity threats evolve, so do software vulnerabilities. - The reliance on cloud services makes us more vulnerable to these issues. Just think back to the infamous “Blue Screen of Death” days. History has a way of repeating itself. What does this mean for us? - Expect an uptick in discussions around patch management and proactive security measures. - IT teams will need to balance agility with stability. The future may see more frequent OOB updates as a standard practice. As we navigate these challenges, we must stay vigilant. The evolving cybersecurity landscape demands that we anticipate, rather than just react. Let’s not forget: every setback is an opportunity for growth and improvement. Embrace the change and adapt. What are your thoughts on these OOB updates? Are they a necessary evil or a sign of larger systemic issues? #Cybersecurity #TechTrends #WindowsUpdates #ainews #automatorsolutions #CyberSecurityAINews ----- Original Publish Date: 2026-04-20 01:35

🔐 How to Implement BitLocker with Silent Encryption & Automatic Key Backup (Intune Guide) Securing endpoints at scale doesn’t have to be complex. With Microsoft Intune, you can deploy BitLocker policies centrally—without user interruption—and ensure recovery keys are safely backed up. Here’s a practical implementation guide 👇 ✅ Step 1: Create BitLocker Policy Go to: Endpoint Security → Disk Encryption → Create Policy Platform: Windows 10/11 Profile: BitLocker ✅ Step 2: Configure Silent Encryption Enable Silent encryption (no user interaction) Set Encryption method: XTS-AES 128 or 256 Enable Encrypt OS and Fixed drives ✅ Step 3: Configure Recovery Key Backup Enable Save BitLocker recovery information to Azure AD Require backup before enabling encryption ✅ Step 4: Authentication Settings Allow TPM-based protection (Optional) Enforce TPM + PIN for higher security ✅ Step 5: Assign Policy Assign to Device Groups (recommended) Ensure devices are Azure AD joined ✅ Step 6: Monitor Deployment Go to: Devices → Monitor → Encryption Report Track compliance and encryption status in real-time 🚀 Best Practices: ✔ Use Device-based targeting ✔ Ensure TPM 2.0 is enabled ✔ Test policy on pilot group before full rollout ⚠️ Common Pitfalls: ❌ Devices not Azure AD joined ❌ Recovery key backup not enforced ❌ Conflicting Group Policies 🔎 Outcome: ✔ Zero-touch encryption ✔ Secure key management ✔ Compliance-ready environment #MicrosoftIntune #BitLocker #EndpointSecurity #CyberSecurity #Windows #ITAdmin #CloudSecurity #Microsoft Azure

📢 New post on the Windows IT Pro Blog! Protect your estate: Reassess your Windows update policies The threat landscape is moving faster than ever—and our patching strategies need to keep up. Microsoft just published an important update on reassessing Windows update policies, highlighting: -A new Windows Autopatch report that provides centralized visibility into patch compliance across Windows, Windows Server, and Microsoft 365 apps -Stricter, security-first patch timelines, where being “current” now means installing updates within 3 days. -Clear identification of policies that increase risk exposure, with actionable workflows to remediate them. -Expanded guidance on using Windows Autopatch, hotpatching, and Extended Security Updates (ESU) for Windows 10. As AI accelerates vulnerability discovery, longer patch SLAs (14–28 days) leave organizations unnecessarily exposed. These updated recommendations are a strong reminder that patching is no longer just an IT hygiene task—it’s a core security control. If you manage or influence Windows servicing strategy, this is a must-read and a good moment to reassess your risk posture. #WindowsAutopatch #Intune #EndpointManagement #Security #WindowsUpdates #MicrosoftIntune #ZeroTrust