KB5091157: Windows Server 2025 April 19 2026 Out-of-Band Update (OS Build 26100.32698)
Non-security out-of-band cumulative update for Windows Server 2025 fixing a domain controller LSASS crash affecting PAM in multi-domain forests. Released April 19, 2026.
Summary
KB5091157 is a non-security, out-of-band (OOB) cumulative update for Windows Server 2025, released on April 19, 2026. It brings quality improvements carried forward from KB5082063 (the April 14, 2026 Patch Tuesday release) and resolves a critical Active Directory startup failure affecting domain controllers in multi-domain forests. The resulting OS build is 26100.32698. Source: Microsoft Support.
Highlights
- Fixed a domain controller startup failure caused by LSASS stopping to respond on servers in multi-domain forests that use Privileged Access Management (PAM), introduced by the April 2026 security update.
Improvements and fixes
- [Active Directory] After installing the April 2026 Windows security update and restarting, domain controllers in multi-domain forest environments that use Privileged Access Management (PAM) could experience startup problems. In some cases, the Local Security Authority Subsystem Service (LSASS) would stop responding, causing the server to restart repeatedly. This update resolves that condition.
Known issues
Microsoft lists no known issues for this update at the time of writing.
How to get this update
This out-of-band update is not delivered automatically through Windows Update as a standard update. Administrators can obtain KB5091157 through the following channels:
- Microsoft Update Catalog - Search for KB5091157 and download the package for manual deployment.
- Windows Server Update Services (WSUS) - The update can be imported from the Microsoft Update Catalog into WSUS for managed distribution.
Note for hotpatch-enrolled devices: Windows Server 2025 devices enrolled in hotpatching can install KB5091157 to receive the same protections as KB5082063. However, installing this update requires a full restart and will pause hotpatching. Hotpatch updates will resume after the July 2026 baseline update. If your device is enrolled in hotpatching and you prefer to avoid a restart, install the OOB hotpatch update KB5091470 instead.
Frequently asked questions
Is this a security update or an optional quality update?
This is a non-security, out-of-band cumulative update. It is not a standard Patch Tuesday security release. Microsoft pushed it outside the regular monthly cadence specifically to resolve a critical Active Directory/LSASS startup failure that was introduced by the April 14, 2026 security update (KB5082063). It carries forward all quality improvements from that release.
Is a restart required after installing KB5091157?
Yes, a restart is required. This is particularly important to note for administrators running hotpatch-enrolled Windows Server 2025 devices - installing this OOB update will pause hotpatching on those systems. Hotpatch updates will not resume until after the July 2026 baseline update is installed.
How can this update be uninstalled if needed?
Microsoft does not document a specific uninstall procedure on this page beyond the standard Windows cumulative update removal process. Administrators can use the standard method: open Settings, go to Windows Update, select Update history, then Uninstall updates, and locate KB5091157. Alternatively, use DISM or the wusa.exe /uninstall command from an elevated prompt.
What OS build number results from installing this update?
After a successful installation and restart, the OS build for Windows Server 2025 will be 26100.32698. You can confirm this by running winver or checking Settings > System > About after the restart completes.
