Microsoft has officially confirmed a critical installation failure affecting its May 2026 Patch Tuesday cumulative update for Windows 11, designated KB5089549. Affected users are encountering error code 0x800f0922 during installation, with some systems additionally reporting errors 0x80240069 and 0x80240031. The known issue was formally acknowledged and added to the update’s change log on May 15, 2026 — three days after the patch’s initial release.
What Is KB5089549?
Released on May 12, 2026, KB5089549 is a mandatory cumulative update targeting Windows 11 versions 25H2 and 24H2, advancing operating system builds to 26200.8457 and 26100.8457 respectively. The update bundles the latest May 2026 security patches, non-security quality improvements from April’s optional preview release (KB5083631), and critical Secure Boot infrastructure changes. Because it is classified as a required security update, Windows attempts automatic installation — making the failure especially disruptive for affected devices.
Root Cause — EFI System Partition Too Small
Microsoft has confirmed that the root cause behind error 0x800f0922 is insufficient free space on the EFI System Partition (ESP). The ESP is a small, reserved partition on the system drive that stores critical boot files. KB5089549 introduces significant Secure Boot infrastructure changes, including a new SecureBoot folder created under C:\Windows on eligible devices, alongside sample automation scripts designed to help IT administrators manage certificate updates across enterprise environments. These additions expand the on-disk footprint written to the ESP during installation, triggering failures on systems where the partition lacks adequate free space.
Secure Boot Certificate Rollout
A central feature of this update is the phased rollout of new Secure Boot certificates. Microsoft is using high-confidence device targeting data to gradually increase coverage of eligible devices. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and safe deployment. Additionally, the update ships example scripts under the new SecureBoot directory, enabling IT professionals in Active Directory environments to automate Secure Boot certificate deployment through safe, staged rollout mechanisms.
Other Critical Fixes Bundled in This Update
Beyond the Secure Boot improvements, KB5089549 addresses several other significant issues. A BitLocker recovery loop bug is resolved — devices running April 2026’s KB5083769 could enter BitLocker Recovery after boot file updates, particularly on systems with invalid PCR7 TPM validation settings. Boot Manager reliability improvements ensure devices start normally after boot file updates without entering recovery mode. The Simple Service Discovery Protocol (SSDP) service also receives stability fixes to prevent it from becoming unresponsive. Additionally, Daylight Saving Time support is added for the 2023 change affecting the Arab Republic of Egypt.
Mitigations and Recommendations
Microsoft is actively rolling out a fix for affected devices. System administrators managing enterprise environments can leverage the new Secure Boot automation scripts — available after successfully installing the update — to monitor certificate update status and manage phased deployment via Active Directory. Organizations should monitor the Windows Release Health Dashboard for the latest remediation status and guidance. Users who have previously installed prior cumulative updates will only download incremental changes included in this package, potentially reducing the ESP space requirements on already-updated systems. Until a full fix is deployed, administrators should verify available ESP space on affected devices before attempting reinstallation.
