Microsoft Fixes KB5089549 Windows 11 Install Failures

Quick take: Microsoft has resolved a known issue that was preventing the May 2026 Windows 11 security update ( KB5089549 ) from installing on some devices and triggering 0x800f0922 error codes .

Microsoft has resolved a known issue that was preventing the May 2026 Windows 11 security update (KB5089549) from installing on some devices and triggering 0x800f0922 error codes. The fix is now available through Windows Update and the Microsoft Update Catalog. For IT administrators managing Windows 11 fleets, this update is not optional — it contains the patch for the actively exploited Netlogon RCE vulnerability (CVE-2026-41089), critical Secure Boot certificate rotation ahead of a June 2026 deadline, and a fix for a BitLocker recovery regression introduced in April 2026.

Root Cause of the Installation Failure

The 0x800f0922 error and automatic rollback were caused by insufficient free space on the EFI System Partition (ESP). The ESP is a dedicated partition on UEFI-based systems storing the bootloader, Secure Boot certificates, and firmware-level components needed to start Windows.

The issue specifically affected devices with 10 MB or less of free space on the ESP. KB5089549 requires additional space to deploy updated Secure Boot certificates and boot servicing files. On affected devices, installation proceeded normally but failed at approximately 35–36% completion during the reboot phase, rolling back all changes automatically.

What Affected Users Saw

Windows Update begins installing KB5089549 — appears to progress normally
Device reboots to complete installation
Installation fails at approximately 35% during the boot phase
System displays: "Something didn't go as planned. Undoing changes."
Device reboots again, restoring the pre-update state
Event logs show "SpaceCheck" and "ServicingBootFiles failed" entries

Why KB5089549 Is Critical — Three Converging Issues

1. Secure Boot Certificate Rotation — June 2026 Deadline

Secure Boot certificates used by most Windows devices are set to expire starting June 2026. These certificates are the cryptographic root of trust for the Windows boot chain — if they expire without renewal, devices may be unable to boot securely. KB5089549 includes improved targeting logic that automatically updates eligible devices' Secure Boot certificates through a phased rollout. A new SecureBoot folder at C:\Windows now provides automation scripts for IT administrators managing enterprise environments through Active Directory.

Devices that fail to install KB5089549 miss this update window entirely. Microsoft's guidance: "We recommend reviewing the guidance and taking action to update certificates in advance to avoid disruption."

2. BitLocker Recovery Regression Fixed

The April 2026 security updates introduced a regression causing some Windows 11 devices to enter BitLocker Recovery mode after boot file updates — particularly on devices with specific TPM validation settings or invalid PCR7 configurations. This forced users to enter their 48-digit recovery key to regain drive access, creating significant enterprise support desk burden. KB5089549 fixes the root cause of this regression, improving boot reliability after future updates.

3. Critical Security Patches Including Actively Exploited CVEs

CVE-2026-41089 (CVSS 9.8) — Windows Netlogon RCE
Stack-based buffer overflow enabling unauthenticated SYSTEM-level code execution on domain controllers. Now actively exploited in the wild. This alone makes KB5089549 an emergency patch for any environment running Windows Server domain controllers.

KB5089549 — Key Details

Release date
May 12, 2026

Applies to
Windows 11 25H2 and 24H2

OS build (25H2)
26200.8457

OS build (24H2)
26100.8457

CVEs addressed
120+ including 16 critical

Includes SSU
KB5092762 (Servicing Stack Update)

How to Resolve the Installation Failure

For home users: Go to Settings → Windows Update → Check for Updates and retry. The updated servicing logic now correctly manages ESP space for most affected devices.

For enterprise IT administrators:

Option A — Windows Update retry (recommended): Trigger a Windows Update scan cycle on affected devices. Monitor for devices that fail again — these likely need Option B.
Option B — Manual ESP expansion: For critically full ESP partitions (under 10 MB free), use Windows Recovery Environment tools to safely resize adjacent partitions and expand the ESP. Follow Microsoft's support documentation for step-by-step guidance.

Verify Successful Installation

Open Settings → System → About. Confirm:

Windows 11 24H2 should show OS Build 26100.8457
Windows 11 25H2 should show OS Build 26200.8457

PowerShell fleet verification:

Get-HotFix -Id KB5089549 | Select-Object -Property InstalledOn, InstalledBy

Additional Issues Fixed by Microsoft in May 2026

Windows Autopatch EU driver bug: Policy error caused restricted driver updates to be deployed on Autopatch-managed devices in the European Union. Resolved.
Third-party backup application failures: April 2026 updates introduced a vulnerable driver causing installation failures in Veeam, Acronis, and other backup agents. Fixed.
SSDP notification reliability: Improved Simple Service Discovery Protocol notifications, preventing connectivity-related service failures in network discovery scenarios.

Enterprise Deployment Priority

System Type	Recommended Patch Timeline	Reason
Domain Controllers	Immediate	CVE-2026-41089 actively exploited
Internet-facing servers	24–48 hours	Highest external attack surface
Internal servers	7 days	Critical patch; test then deploy
Managed workstations	30 days	Standard patch cycle; monitor for ESP issues

Managed IT & Windows Support · Riyadh, Saudi Arabia

Windows patch management you can rely on

LearnWithIrfan provides managed Windows Server support, patch management, Secure Boot configuration, and IT helpdesk services for businesses in Saudi Arabia. Monthly fixed-fee engagements — no surprise invoices, no per-incident billing, written SLA on every engagement.

Managed IT Services →Get a Free Quote

📍 Riyadh · 🌍 Remote worldwide · ⏰ 24h response · 📋 Written SLA

Final Thoughts

Microsoft Fixes KB5089549 Windows 11 Install Failures is worth reviewing with a practical lens: understand the risk or opportunity, map it to your environment, and take clear next steps instead of reacting to headlines.

FAQ: Microsoft Fixes KB5089549 Windows 11 Install Failures

What should you know about Root Cause of the Installation Failure?+

The 0x800f0922 error and automatic rollback were caused by insufficient free space on the EFI System Partition (ESP) . The ESP is a dedicated partition on UEFI-based systems storing the bootloader, Secure Boot certificates, and firmware-level components needed to start Windows.

How do you secure Boot Certificate Rotation — June 2026 Deadline?+

Secure Boot certificates used by most Windows devices are set to expire starting June 2026 . These certificates are the cryptographic root of trust for the Windows boot chain — if they expire without renewal, devices may be unable to boot securely.

What should you know about BitLocker Recovery Regression Fixed?+

The April 2026 security updates introduced a regression causing some Windows 11 devices to enter BitLocker Recovery mode after boot file updates — particularly on devices with specific TPM validation settings or invalid PCR7 configurations.

How to Resolve the Installation Failure?+

For home users: Go to Settings → Windows Update → Check for Updates and retry. The updated servicing logic now correctly manages ESP space for most affected devices.

Need help with infrastructure or security?

Work directly with Muhammad Irfan Aslam for Linux, cybersecurity, cloud, Docker, DevOps, CI/CD, or infrastructure support.

Hire Me for Support