Microsoft has confirmed that the Windows 11 security update KB5089549, released for versions 24H2 and 25H2, fails during installation on devices with critically low space on the EFI System Partition (ESP). The acknowledgment came on May 15, 2026, and the installer throws error 0x800f0922.

This update is part of Microsoft's regular security patching cycle, addressing vulnerabilities that could allow elevation of privilege or remote code execution. The failure to install leaves systems exposed to those flaws, making this more than a minor inconvenience. But the deeper concern is what the blockage reveals about system partitioning and the delicate interplay between secure boot mechanisms, drive encryption, and update processes.

Understanding the EFI System Partition Bottleneck

The EFI System Partition is a small, hidden section of a PC's storage drive—typically 100 MB to 500 MB—established when Windows is installed on a UEFI-based system. It stores boot loaders, device drivers, and the critical boot configuration data that starts Windows. More importantly for today's security landscape, it holds the Secure Boot database and, when BitLocker is active, the encrypted keys required to unlock the system drive on startup.

When the ESP runs out of free space, the update engine cannot stage the necessary files for the servicing stack. The 0x800f0922 error specifically indicates "Windows Update encountered an unknown error," but in this context, it translates to "the partition required for boot-critical changes is full." Microsoft's acknowledgment confirms that the failure is not a bug in the update payload itself, but rather a consequence of insufficient capacity on the target partition.

Why KB5089549 Collides with EFI Space

Security updates for Windows 11 often include updates to boot components. KB5089549 likely touches Secure Boot policies, early-launch antimalware modules, or BitLocker integrity functions—all of which reside in the ESP. To apply the update, Windows must replace or update existing files in that partition. If the available free space is less than what the update requires (even temporarily), the installer throws the error and rolls back.

Many users are only now encountering this because previous updates squeezed by with minimal overhead. As the EFI partition becomes cluttered over years of updates, recovery tools, and OEM customizations, the margin disappears. Devices with a 100 MB ESP are especially vulnerable; Microsoft's default for new installations is 100 MB, a figure that now appears tight.

Secure Boot and BitLocker at Risk

Secure Boot relies on the ESP to store its authorization databases—the db (allowed signatures), dbx (revoked signatures), and keys. When an update modifies these databases to block vulnerable bootloaders, it must write to the ESP. Failure to do so leaves the Secure Boot configuration stale, potentially allowing bootkits that the update was designed to defeat.

BitLocker is equally impacted. For systems using TPM-based disk encryption, the ESP stores the boot files that unlock the drive. If the update cannot update those components, a subsequent attempt to modify the encryption metadata may fail, or worse, the system could enter a recovery loop. There are no widespread reports of actual drive lockouts from this specific error, but the risk is notable—especially if a user later attempts to repair the installation and the recovery environment cannot locate valid BitLocker keys.

Who Is Affected and How to Check

The issue does not affect all Windows 11 devices. It strikes those where the ESP has less than roughly 15–20 MB of free space at the time the update is attempted. PCs cloned from smaller drives, older upgrades from Windows 10 where the ESP was manually resized, and systems with multiple EFI files from dual-boot configurations are prime candidates.

To check your EFI partition size and free space, you can use the Disk Management console or PowerShell:

Get-Partition -DriveLetter (Get-Partition | Where-Object {$_.Type -eq "System"}).DriveLetter | Select Size, SizeRemaining

If the partition is less than 100 MB and nearly full, you are in the danger zone. Microsoft's acknowledgment notes that this is a known compatibility issue, and they are investigating potential mitigations.

Workarounds and Limitations

There is no official one-click fix yet. The most direct workaround—resizing the EFI partition—requires third-party tooling and carries significant risk. The process typically involves:

  • Shrinking the adjacent main OS partition to create unallocated space.
  • Using a partition manager (such as GParted from a live USB) to extend the ESP into that space.
  • Ensuring the partition remains formatted as FAT32 and correctly typed.

This is not a procedure Microsoft recommends for average users, and an error can render the system unbootable. Furthermore, BitLocker protections must be suspended or the drive decrypted beforehand, which compromises data security temporarily.

A safer, though temporary, approach is to hide the update using the Windows Update troubleshooter or the Show/Hide tool until Microsoft releases a revised update or an automated fix. The downside is leaving known vulnerabilities unpatched, which is particularly dangerous if any of the CVEs addressed are under active exploit.

For managed environments, IT admins can deploy scripts to detect devices with low ESP space and either expand the partition proactively or delay the update. Microsoft's endpoint management tools—Intune, ConfigMgr—can assist in reporting, but the actual partition resize remains a hands-on task.

Microsoft's Response and Outlook

Microsoft's statement on May 15, 2026, acknowledged the problem and said engineers are working on a resolution. The company did not commit to a timeline but indicated that a future servicing stack update or a revised version of KB5089549 might include a dynamic check that bypasses the ESP write when space is insufficient, falling back to a non-boot-related component update.

In the interim, the update remains available for manual download via the Microsoft Update Catalog, though the same error will occur if the ESP is full. Some users have reported success by temporarily moving non-essential EFI files (such as OEM recovery tools or duplicate boot entries) to a backup location, but this too is unsupported and can break system recovery.

The incident highlights a growing pain point in Windows' architecture. As security increasingly depends on boot-time integrity checks, the humble EFI partition—originally sized for a minimalist boot loader—is being asked to host a growing payload. Microsoft may need to reconsider the default 100 MB allocation for modern installations or provide official, safe resizing tools.

Practical Steps for Windows Enthusiasts

If you're running Windows 11 24H2 or 25H2 and see KB5089549 repeatedly failing with 0x800f0922, do not ignore it. Here's a step-by-step action plan:

  1. Assess your ESP: Check free space. If it's under 20 MB, you are in the risk group.
  2. Back up your BitLocker recovery key: Go to Control Panel > BitLocker Drive Encryption and save the 48-digit recovery key to a safe location (Microsoft account, file, or print).
  3. Delay the update: Use the Windows Update Show/Hide tool (wushowhide.diagcab) to hide KB5089549 temporarily. This prevents repeated installation attempts that could leave the system in a half-updated state.
  4. Consider a partition resize—carefully: If you're experienced, boot from a live Linux USB, use GParted to shrink the Windows partition by 100–200 MB, then expand the ESP. Reboot and run bcdedit /export to ensure boot configuration integrity. This should be a last resort.
  5. Watch for official fix: Monitor the Windows release health dashboard for KB5089549. Microsoft typically posts resolutions there.

Community discussions echo the frustration. In the Windows Forum thread, users report that the error appears midway through the update, with some systems rolling back and others getting stuck in a "undoing changes" loop. A few note that after the failure, BitLocker prompted for the recovery key on subsequent boots, confirming the update's interaction with encryption keys.

The Bigger Picture: Partitioning in the Secure Boot Era

This is not the first time EFI partition space has caused update failures. Windows 10 April 2018 Update had similar issues, and Microsoft later increased the recommended ESP size for new OEM systems. But with Windows 11's heightened security baseline—enforcing TPM 2.0 and Secure Boot by default—the partition's role has expanded. It now stores not just the boot manager but also the Windows Recovery Environment (WinRE) in many configurations, plus BitLocker's external key protector files.

As updates add new Secure Boot certificate revocations (like the recent BlackLotus bootkit response), the revocation list in the dbx grows. Each entry consumes space. Over time, a 100 MB ESP can fill up with accumulated updates, OEM customizations, and language-specific boot resources.

Microsoft's ideal path forward would be an automated ESP repair tool that runs before updates, offloading unnecessary files and expanding the partition when adjacent space exists. Until then, savvy users are doing it manually, and casual users are stuck with failed updates and exposed security.

The KB5089549 saga is a reminder that even routine security patches can expose systemic design limits. It underscores the need for flexible, scalable system partitions in an era where firmware-level threats are on the rise. For now, the ball is in Microsoft's court to deliver a no-touch resolution.