Microsoft has acknowledged a new known issue affecting Windows Server 2016 systems following the installation of the May 2026 Patch Tuesday security update. Systems that have applied KB5087537 may experience failures in domain controller (DC) lookup operations, potentially impacting Active Directory authentication and network service availability in enterprise environments.
What Is Happening
After applying KB5087537 — part of Microsoft's May 2026 cumulative update rollout for Windows Server 2016 — some servers are failing to locate domain controllers during standard lookup operations. This manifests as authentication failures, Group Policy processing errors, and service connectivity issues that depend on Active Directory domain services.
Domain controller lookup is a fundamental operation in Windows domain environments. When DC resolution fails, a wide range of downstream services can be affected, including:
- User login and authentication on domain-joined machines
- Group Policy application for security settings and configurations
- Kerberos ticket granting and service authentication
- LDAP queries from applications and services
- DNS-dependent service discovery in AD-integrated environments
The issue appears to affect Windows Server 2016 systems specifically. Other Windows Server versions — including Windows Server 2019, 2022, and the newer Windows Server 2025 — have not been reported as affected by this specific regression.
How to Check If You Are Affected
Administrators can look for the following symptoms to determine if their environment is experiencing this issue:
- Event log entries with errors related to
Netlogonservice or DC discovery failures - Authentication errors appearing after the KB5087537 update was applied
- Group Policy errors in the
%SystemRoot%\debug\UserMode\gpscript.log - Applications reporting LDAP connectivity issues following the May update
The issue is confirmed to be triggered specifically by the installation of KB5087537 on Windows Server 2016. Checking the installed update history in Windows Update can confirm whether this patch is present.
Workaround
Microsoft has acknowledged the issue and is working on a permanent fix to be delivered through a future update. In the meantime, organizations experiencing the problem have the following options:
Option 1: Uninstall KB5087537 Administrators can remove the problematic update via the Windows Update settings or through the command line using:
wusa /uninstall /kb:5087537
This will restore previous behavior but leaves systems without the May 2026 security fixes. Organizations should weigh this against their threat exposure.
Option 2: Apply Known Mitigation Microsoft may publish a Known Issue Rollback (KIR) Group Policy or registry-based workaround that allows the update to remain installed while disabling the code path causing the regression. Check the official Windows health dashboard for the latest guidance.
Security Patch Context
KB5087537 is a cumulative security update that bundles multiple vulnerability fixes for Windows Server 2016. Removing it to work around this DC lookup issue means deferring those security patches until the issue is resolved in a subsequent release.
Administrators should review the security content of KB5087537 — available in the Microsoft Security Update Guide — to understand the risk profile of running without these fixes. In environments with strong network segmentation and compensating controls, the temporary removal may be acceptable. In internet-exposed or high-risk environments, the decision requires more careful consideration.
Recommendations for Administrators
- Audit your environment — Identify all Windows Server 2016 systems in your Active Directory infrastructure
- Check update deployment status — Determine whether KB5087537 has been applied across your server fleet
- Test before wide deployment — If the update has not yet been broadly deployed, hold it on Windows Server 2016 systems until Microsoft resolves the issue
- Monitor event logs — On systems that already have the update, watch for Netlogon and Kerberos errors
- Follow Microsoft's health dashboard — Updates on the fix timeline and any available KIR workarounds will be posted to the Windows release health dashboard
- Communicate with stakeholders — If your environment is affected, proactively notify IT operations and helpdesk staff about the potential for authentication issues
End of Life Considerations
It is worth noting that Windows Server 2016 reached mainstream support end-of-life in January 2022 and is currently in extended support, which runs through January 2027. Organizations still running Windows Server 2016 should have active plans to migrate to Windows Server 2022 or 2025 ahead of the extended support deadline.
While Microsoft continues to provide security updates under extended support, regression issues like this one serve as a reminder that older operating system versions may receive less rigorous pre-release quality assurance than current-generation releases.
Source: BleepingComputer