Windows Update Bug Blocks Security Patches on Windows 11 Devices with Low EFI Partition Space
What Happened – Microsoft disclosed that the cumulative update KB5089549 can fail with error 0x800f0922 on Windows 11 machines that have insufficient EFI‑system‑partition (ESP) space. The failure prevents the installation of the update, which includes critical security fixes. Microsoft published work‑arounds and guidance for reclaiming ESP space.
Why It Matters for TPRM –
- Unpatched Windows 11 endpoints remain vulnerable to known exploits, raising third‑party risk for any organization that relies on Microsoft as a critical service provider.
- The issue is systemic; any vendor that ships Windows 11 devices with a small ESP may inherit the same exposure, affecting supply‑chain security assessments.
- Delayed remediation can cascade into compliance gaps (e.g., PCI‑DSS, HIPAA) for downstream customers.
Who Is Affected – Enterprises across all sectors that deploy Windows 11 desktops/laptops, especially OEM‑configured devices with limited EFI partition size; Managed Service Providers (MSPs) that manage Windows fleets.
Recommended Actions –
- Inventory ESP sizes on all Windows 11 assets; flag any partitions < 100 MB.
- Apply Microsoft’s published ESP‑cleanup scripts or manually expand the partition before the next update cycle.
- Verify that critical security updates (e.g., CVE‑2025‑XXXX patches) are successfully applied post‑remediation.
- Update third‑party risk questionnaires to reflect the temporary inability to apply patches.
Technical Notes – The failure originates from the Windows Update engine’s inability to write the update payload to an EFI partition that lacks sufficient free space. No CVE is associated; the issue is a regression in the update package (KB5089549). Affected data types are limited to system binaries; no data exfiltration reported. Source: TechRepublic Security