Windows 11 KB5089549 Install Failures Complicate Microsoft Defender Security Patches
Microsoft confirmed that the Windows 11 security update KB5089549 can fail to install on systems running versions 24H2 and 25H2 when the EFI System Partition has 10 MB or less of free space. Affected devices typically stop during reboot at about 35–36% completion, return error 0x800f0922, and roll back the update. Microsoft has issued a Known Issue Rollback for consumer and unmanaged business devices, while enterprise administrators must use a Group Policy workaround; for persistent cases, the company also published a registry-based mitigation to reduce reserved EFI servicing padding. The same update also addresses a separate problem that had pushed some Windows 11 devices into BitLocker recovery after earlier 2026 updates.
The installation issue is significant because Microsoft’s May security advisories also included multiple Microsoft Defender vulnerabilities, with CVE-2026-41091 and CVE-2026-45498 added by CISA to the Known Exploited Vulnerabilities catalog, signaling active exploitation risk. Additional Defender flaws tracked as CVE-2026-45584 and related advisories were also published by Microsoft and echoed by national cybersecurity agencies, including Canada’s Cyber Centre and HKCERT, which urged organizations to review the bulletins and apply updates. Microsoft said it is developing a permanent fix for the Windows 11 update failure in a future release.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
HKCERT publishes bulletin on multiple Microsoft Defender vulnerabilities
HKCERT published a security bulletin covering multiple Microsoft Defender vulnerabilities. The bulletin followed Microsoft's May security advisories and reflected broader CERT dissemination of the Defender issues.
Canadian Centre for Cyber Security issues Microsoft advisory notice
The Canadian Centre for Cyber Security published advisory AV26-489 summarizing Microsoft advisories from May 18 and 19 across multiple products, including Microsoft Defender. It urged users and administrators to review the advisories and apply updates, noting that some of the vulnerabilities were critical.
CISA adds two Microsoft Defender flaws to KEV catalog
CISA added CVE-2026-41091 and CVE-2026-45498 to the Known Exploited Vulnerabilities catalog, signaling active exploitation concerns for the Microsoft Defender flaws. The addition was highlighted by the Canadian Centre for Cyber Security the same day.
Microsoft deploys mitigations for KB5089549 installation issue
Microsoft said it was working on a permanent fix for the KB5089549 installation problem and deployed Known Issue Rollback for consumer and unmanaged business devices. For managed environments, it provided a Group Policy workaround, and later guidance also referenced a registry-based workaround to reduce reserved EFI padding during servicing.
Microsoft confirms KB5089549 install failures on low-ESP Windows 11 systems
Microsoft confirmed that the May 2026 Windows 11 security update KB5089549 can fail to install on Windows 11 24H2 and 25H2 devices when the EFI System Partition has 10 MB or less free space. Affected systems typically fail during reboot around 35–36% completion, return error 0x800f0922, and roll back the update.
Microsoft publishes Defender vulnerability advisories
Microsoft released Security Update Guide entries for CVE-2026-41091, CVE-2026-45498, and CVE-2026-45584 affecting Microsoft Defender. The referenced issues included elevation of privilege, denial of service, and remote code execution vulnerabilities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Microsoft Defender Multiple Vulnerabilities
hkcert.org
Open sourceMicrosoft Confirms Windows 11 May Update KB5089549 Fails With Error 0x800f0922 on Devices With Limited EFI Partition Space - gHacks Tech News
ghacks.net
Open sourceMicrosoft security advisory (AV26-489) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-45498 - Security Update Guide - Microsoft - Microsoft Defender Denial of Service Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-41091 - Security Update Guide - Microsoft - Microsoft Defender Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-45584 - Security Update Guide - Microsoft - Microsoft Defender Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceWindows 11 update KB5089549 causes installation errors due to low EFI partition space | brief | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows 11 KB5089549 Install Bug Blocks Security Updates on Low-ESP Systems
Microsoft confirmed that the mandatory Windows 11 cumulative update **KB5089549** is failing on some devices, leaving them without the latest security fixes. The installation issue is primarily affecting systems with nearly full **EFI System Partitions (ESP)**—especially those with about **10 MB or less** of free space—and commonly triggers errors including `0x800f0922`, `0x80240069`, and `0x80240031`. Affected machines often stall at roughly **35–36%** during restart, then roll back the update instead of completing installation. Microsoft said it deployed a server-side **Known Issue Rollback (KIR)** to mitigate the problem for consumer and unmanaged business devices, with the fix expected to apply automatically after a restart. The company also advised users to reboot and retry the update, while enterprise administrators were told to use a **Group Policy** mitigation for managed environments. Reports also noted that some impacted systems experienced boot issues or degraded performance, adding to broader concerns over recent Windows update reliability problems.
Jun 9, 2026
Microsoft Fixes Windows 11 Update Failures Caused by Small EFI Partitions
Microsoft released Windows 11 cumulative update **KB5089573** to permanently fix an installation bug introduced by **KB5089549** that caused some systems running versions **24H2** and **25H2** to fail during reboot. Affected devices typically stalled at about **35–36%** completion, rolled back the update, and returned error `0x800f0922`, with logs indicating insufficient free space in the **EFI System Partition (ESP)**. Microsoft had already applied a Known Issue Rollback and provided a registry-based workaround for enterprise administrators before issuing the permanent fix. The update raises Windows 11 builds to **26100.8524** and **26200.8524**, includes servicing stack and AI component updates, and is available through **Windows Update**, **Microsoft Update Catalog**, **Windows Update for Business**, and **WSUS**. Microsoft said no known issues were identified at release and indicated that the fix will also be included in subsequent cumulative updates, reducing the need for users and administrators to manually resize the ESP or remove security updates.
Jun 2, 2026
Windows 11 KB5094126 Triggers Boot Failures, BitLocker Recovery, and Explorer Sync Breakage
Microsoft’s Windows 11 cumulative update `KB5094126` is causing serious post-installation failures on some systems after its release with roughly 200 security fixes, including 33 critical flaws and five zero-days. Users reported freezes shortly after boot, black screens, boot loops, BSODs, and repeated BitLocker recovery prompts, including on devices where BitLocker was believed to be disabled. Reports indicate the problems are hitting some HP models particularly hard, with Secure Boot certificate changes and interactions with BIOS/UEFI settings and undersized or crowded EFI partitions emerging as likely factors. The update is also disrupting enterprise and productivity workflows by breaking File Explorer integration for OneDrive and, in some cases, Dropbox and iCloud Drive, while some affected machines reportedly lose LAN access even though internet connectivity remains available. Administrators and users have resorted to Windows Recovery Environment to remove the patch, and some systems reportedly required full Windows reinstalls after recovery complications. A widely shared workaround has been to temporarily disable Secure Boot, complete boot and update recovery, then re-enable Secure Boot after updating BIOS/UEFI firmware, though Microsoft had not formally acknowledged the full scope of the issues in the update documentation at the time of reporting.
Jun 20, 2026