Microsoft KB5091157

Microsoft KB5091157 is a Knowledge Base (KB) article and associated out-of-band (OOB) patch issued on 19 April 2026 to fix a critical regression in Windows Server 2016, 2019, 2022, and 2025 that caused domain controllers with Privileged Access Management (PAM) enabled to enter continuous Local Security Authority Subsystem Service (LSASS) reboot loops. The bug rendered affected domain controllers inoperable, making KB5091157 an emergency fix rather than a scheduled Patch Tuesday release.

Microsoft's Knowledge Base is a repository of articles providing information on specific product issues and patches. An out-of-band patch is one released outside the normal monthly Patch Tuesday cycle, signalling that the severity or operational impact is too high to wait for the next scheduled release. KB numbers serve as stable identifiers for tracking which fix has been applied to a given system, recorded in Windows Update history and third-party patch management tools.

PAM (Privileged Access Management) on domain controllers is a Windows Server feature that enables just-in-time elevation of Active Directory privileges, used in hardened enterprise environments to limit standing administrator rights. The regression was introduced by the April 2026 Patch Tuesday cumulative update for Windows Server; the out-of-band KB5091157 reverted the defective component. The issue is noted in U#3 as part of the IN BRIEF section , reflecting the operational disruption to organisations with hardened PAM-enabled domain controller deployments.