Microsoft released KB5091575 as an out-of-band update for Windows Server 2022 that directly addresses LSASS startup crashes in multi-domain forests using Privileged Access Management. The patch bundles a servicing stack refresh to streamline future updates and prevent redundant installations on already patched systems. Enterprise admins managing WSUS will notice simplified sync error reporting, which temporarily hides detailed logs to close a remote code execution vulnerability. IT teams should deploy this update during maintenance windows and verify directory service stability before resuming normal operations.

KB5091575 Windows Server 2022 Fixes Critical Domain Controller Crash and PAM Startup Loop

Microsoft just pushed KB5091575 for Windows Server 2022, and this out of band update actually matters. The patch bundles the April cumulative release with a servicing stack fix and targets a nasty domain controller crash that leaves authentication dead in the water. Admins managing multi domain forests need to get this installed before LSASS decides to take an unscheduled vacation.

Why the KB5091575 Windows Server 2022 Domain Controller Fix Matters

The real reason to care about this release is how it handles Privileged Access Management forests. When a domain controller runs PAM, the previous April update left LSASS hanging after a reboot. That means repeated restart loops and a complete authentication blackout across the forest. This exact scenario plays out frequently during maintenance windows when admins assume a standard patch will behave normally. The directory services simply refuse to come back online until the underlying security subsystem stabilizes. Microsoft patched the root cause here, so the local security authority stops choking on its own startup sequence.

Servicing Stack and Update Delivery Mechanics

Every Windows Server release eventually bundles a servicing stack update with the cumulative package. This build ships as OS version 20348.5021, which means the component store gets refreshed alongside the actual feature fixes. The combined approach cuts down on patch Tuesday dependency chains that usually break third party backup agents or trigger driver conflicts. Systems already running older patches will only pull the new files instead of reinstalling everything from scratch. That saves bandwidth and keeps deployment scripts from timing out during off hours.

WSUS Sync Reporting Quirk

There is a known side effect that affects enterprise management consoles. Windows Server Update Services stops showing detailed synchronization error messages after this update installs. Microsoft disabled the verbose logging temporarily to close CVE-2025-59287, which was a remote code execution flaw in the WSUS reporting pipeline. The trade off is straightforward. Admins will still see sync failures but must dig into server event logs or use PowerShell cmdlets to pull the actual error codes. It is annoying for dashboards that rely on automated parsing, but keeping a remote exploit closed outweighs the lost visibility.

April 19, 2026—KB5091575 (OS Build 20348.5024) Out-of-band

April 19, 2026—KB5091575 (OS Build 20348.5024) Out-of-band - Microsoft Support

Keep an eye on the release health dashboard if deployment scripts start throwing unexpected exit codes. The patch does exactly what it promises and leaves the directory services breathing easier. Roll it out during a maintenance window and verify LSASS stability before touching anything else.