KB5068781 ESU Install Fails on Subscription Activated Windows 10 (0x800f0922)

Microsoft has confirmed that the first Extended Security Update for consumer Windows 10 — the November ESU cumulative KB5068781 — can fail to install on some ESU‑licensed devices, with affected systems returning the installation error code 0x800f0922 (CBS_E_INSTALLERS_FAILED); the company says the failures are isolated to devices activated via Windows subscription activation through the Microsoft 365 admin center, and at the time of this report there is no permanent fix or universal workaround available for those machines.

Background / Overview​

Microsoft moved Windows 10 into a constrained servicing posture after mainstream end‑of‑support, and offered an Extended Security Updates (ESU) pathway to provide a one‑year security bridge for eligible consumer devices and extended options for commercial customers. The first formal ESU cumulative update for eligible Windows 10 systems — released in the November update cycle — is packaged as KB5068781 (advancing ESU‑eligible 22H2 to OS Build 19045.6575, and 21H2 to the corresponding 19044.6575 build). That package was intended to accomplish a small set of goals:

• Remove an incorrectly displayed “Your version of Windows has reached the end of support” message on some ESU‑entitled builds.
• Include the security mitigations and servicing‑stack components needed to continue reliable ESU servicing.
• Deliver the November security hardenings for ESU‑entitled platforms.

Shortly after deployment, enterprise and managed‑environment administrators began reporting that KB5068781 would appear to install but then roll back after a restart, with update history or logs showing the 0x800f0922 failure. Microsoft has publicly acknowledged the problem, specified the narrow activation vector implicated, and indicated the issue is under investigation.

---

What Microsoft confirmed (technical summary)​

• The failure mode reportedly presents as an LCU/ESU installation that appears to apply, reboots the system, and then is rolled back with the error code 0x800f0922. Event and CBS logs may show CBS_E_INSTALLERS_FAILED as the underlying failure marker.
• Microsoft’s advisory states the symptom is isolated to devices activated using Windows subscription activation through the Microsoft 365 admin center — in other words, affected devices are those where subscription-style activation (management via the Microsoft 365 Admin Center) is the path to entitlement rather than older activation mechanisms.
• Microsoft has confirmed the problem is being investigated and has not provided a definitive ETA for a patch to resolve the failure for the affected activation scenario.
• Separately, Microsoft shipped an out‑of‑band update, KB5071959, to address a related but distinct issue: the ESU enrollment wizard failing on some consumer devices. That out‑of‑band package is intended to repair enrollment flows so eligible consumer devices can complete ESU enrollment and receive ESU cumulative updates.

These official points narrow the scope: the ESU enrollment wizard bug and the KB5068781 installation failures are related‑in‑time but are not identical problems. KB5071959 was published to repair the enrollment wizard; Microsoft still lists the KB5068781 installation failures as under investigation for subscription‑activated devices in enterprise/admin center scenarios.

---

Why this matters: security, compliance, and operational impact​

Windows cumulative updates are the primary vehicle for distributing monthly security mitigations. For organizations that elected to purchase ESU entitlements or enroll eligible consumer devices, the ESU bridge is the only supported method to continue receiving security patches during the limited ESU window.
The risks introduced by a failing ESU cumulative are:

• Unpatched attack surface: devices that are licensed for ESU but cannot successfully apply the monthly security rollup remain vulnerable to CVEs addressed by the KB, which may include high‑severity or actively exploited vulnerabilities.
• Operational overhead: administrators must triage which machines are affected, identify activation method, coordinate with Microsoft support, and potentially pause update deployment rings while Microsoft resolves the issue.
• Compliance exposure: regulated environments that mandate prompt patching may fall out of compliance if ESU security rollups cannot be reliably applied.
• Management complexity: mixed activation scenarios (MAK, KMS, subscription activation) within a single estate can cause differential behavior, complicating automation and reporting tools (WSUS, SCCM/MECM, Intune).

Given these stakes, organizations should treat this as a high‑priority operational incident: triage affected systems, confirm activation flow and ESU entitlement state, and plan mitigations or compensating controls while awaiting a Microsoft patch.

---

How to identify affected devices (triage checklist)​

Use the following steps to determine whether a given Windows 10 device is likely to be affected by the KB5068781 install failure.

• Confirm the Windows 10 build and ESU applicability.
• Verify the system is an ESU‑eligible SKU (e.g., Windows 10 Home/Pro consumer on supported 21H2/22H2 with ESU enrollment, Enterprise LTSC 2021 scenarios where applicable).
• Confirm OS Build matches expected ESU baseline: 19044.xxxx for 21H2 or 19045.xxxx for 22H2 and that KB5068781 is being offered for that build.
• Check activation method.
• Identify how the device is activated: subscription activation via Microsoft 365 admin center, MAK (multiple activation key), KMS, or traditional retail/OEM activation.
• The Microsoft advisory specifically calls out subscription activation through the Microsoft 365 admin center as the vector for affected machines; devices using other activation methods are less likely to see this specific failure.
• Verify ESU license status.
• On a representative device, run an elevated command prompt and execute:
• slmgr.vbs /dlv
• The resulting dialog should show ESU Year‑1 (or equivalent) licensing and a “Licensed” status when the ESU product key or entitlement is correctly applied.
• Inspect update history and logs.
• Check Settings → Update & Security → Windows Update → View update history for the rollback and error code.
• Examine Windows event logs and CBS logs for CBS_E_INSTALLERS_FAILED entries and the 0x800f0922 code. Those indicators match Microsoft’s description of the failure.
• Confirm presence of relevant updates.
• Verify whether KB5071959 (out‑of‑band enrollment fix) and the servicing‑stack update (SSU) that usually accompanies ESU servicing have been applied. Missing SSUs can cause unrelated failures, so validating SSU status is always good practice.

If multiple devices in an environment share the subscription activation path and show the same rollback symptoms, assume systemic impact until proven otherwise.

---

Practical mitigation steps for admins and power users​

Microsoft has not published an official universal workaround for the KB5068781 installation error on subscription‑activated devices. That said, the following pragmatic steps will help reduce risk and buy time while awaiting a definitive fix.

• Pause automated deployment rings
• Temporarily stop automatic deployment of KB5068781 to machines that were activated via subscription activation until the issue is addressed.
• Use test rings to validate any Microsoft patch supplied as the remedy.
• Ensure ESU enrollment and enrollment fixes are applied
• For consumer devices that could not enroll due to the enrollment wizard bug, install the out‑of‑band update KB5071959 and complete enrollment.
• For managed devices, confirm any required Known Issue Rollback (KIR) group policy or SSU updates recommended by Microsoft are installed.
• Verify servicing‑stack updates (SSU)
• Confirm the servicing‑stack update that pairs with the ESU LCU is installed. Missing or out‑of‑date SSUs can cause unrelated failures; ensure the SSU chain is current before attempting cumulative installations.
• Manual installation and catalog use (with caution)
• For machines not showing the update via Windows Update, administrators can attempt to download and apply the relevant KB from the Update Catalog. Note: Microsoft has indicated subscription-activation devices are where the failure occurs; a manual install may still fail and could trigger the same rollback behavior.
• If attempting manual installation, perform it first on a non‑production test device with a full backup and recovery plan in place.
• Audit activation methods estate‑wide
• Map out which devices are activated via Microsoft 365 subscription activation. If large swaths of the estate use that activation method and cannot apply KB5068781, consult Microsoft support and consider whether short‑term mitigations (segmenting those devices, additional monitoring, compensating controls) are needed.
• Engage Microsoft support and open a case
• For environments with purchased ESU entitlements and critical compliance obligations, escalate with Microsoft Support and open a case so Microsoft can correlate telemetry and prioritize a fix. Provide logs (CBS, WindowsUpdateClient) and activation details to the support engineer.
• Deploy compensating security controls
• While devices remain unpatched, enforce stricter network segmentation, apply virtual patching at perimeter controls, and increase endpoint monitoring and behavioural detection to reduce exposure.

---

Troubleshooting notes and community reports (anecdotal, unverified)​

Community forums and administrators have shared a range of experiences while triaging KB5068781 rollbacks. These reports are valuable as operational data points but should be treated as anecdotal until validated by Microsoft:

• Some administrators reported that devices appear to install the KB normally but then roll back to a prior state at ~94% during the second reboot; logs show the 0x800f0922 failure and CBS errors.
• A subset of administrators reported that after repeated failed attempts the ESU enrollment UI changed state or that reapplying an ESU key made the update appear again but would still fail.
• There are isolated reports of unusual post‑update behaviour (boot hang or recovery loop) after a failed installation; these look to be rare and are not confirmed as systemic.

Because community troubleshooting can lead to suggested “fixes” that may be risky (manual registry edits, aggressive servicing‑stack manipulations), exercise caution: test any community remedy in a controlled environment and salvage backups before applying.

---

Critical analysis — strengths and shortfalls of Microsoft's response​

Strengths

• Microsoft has been transparent about the problem vector and has publicly confirmed the error code and the affected activation method, which narrows the scope and helps administrators triage.
• The release of KB5071959 as an out‑of‑band patch to address the ESU enrollment wizard shows Microsoft is prioritizing consumer enrollment issues and can ship targeted emergency fixes outside the normal Patch Tuesday cadence.
• Microsoft’s release notes and release‑health pages provide actionable remediation paths (Known Issue Rollbacks, Group Policy options, SSU guidance) and allow administrators to make evidence‑based decisions.

Shortfalls / Risks

• The timing is unfortunate: the ESU bridge exists precisely to keep vulnerable machines protected, yet the first ESU cumulative has shown a failure on a non‑trivial activation scenario. That undermines confidence in patch reliability—especially in mixed‑activation estates.
• Microsoft’s initial statement did not include an immediate workaround or ETA for the fix, which forces organizations to either accept operational risk or delay patching while they investigate alternative mitigations.
• The activation‑specific nature of the bug complicates centralized management: many enterprise tools assume uniform behavior across activation types, and differential behavior forces manual inventory, which is error‑prone.
• Public reporting and forum posts indicate not all affected conditions are fully mapped, and anecdotal troubleshooting could lead to informal workarounds that create inconsistent state or future servicing problems.

Overall, Microsoft’s communications and the out‑of‑band enrollment fix are appropriate but incomplete: transparent acknowledgment is a necessary first step, but enterprise customers now require a clear remediation timeline, a documented workaround (if possible), and guidance for large deployments with mixed activation methods.

---

Recommended action plan for organizations (prioritized)​

• Immediate triage (Hours)
• Run an estate‑wide query to inventory devices by activation method (subscription activation vs. MAK/KMS/retail).
• Identify devices that have KB5068781 pending or that reported the 0x800f0922 rollback.
• Short‑term containment (Day 0–3)
• Pause automated deployment of KB5068781 to subscription‑activated groups until Microsoft confirms a fix.
• For non‑subscription‑activated devices, proceed with standard testing and deployment if the device class shows stable install behavior.
• Remediation (Days 1–7)
• Apply KB5071959 where appropriate (for consumer devices showing ESU enrollment failure) and verify enrollment.
• Verify servicing‑stack updates (SSU) are current on all machines.
• For business devices that must be patched immediately and cannot wait, coordinate with Microsoft support to obtain guidance, telemetry analysis, and possible hotfixes.
• Medium term (Week 1–4)
• Track Microsoft’s release health advisories and apply the supplied remedial update when available; validate in pilot rings before broad rollout.
• Reconcile update reporting in WSUS/SCCM/Intune to ensure devices reflect accurate compliance state post‑fix.
• Longer term
• Reassess activation strategy for future lifecycle events — subscription activation has management advantages but may introduce 3rd‑party dependency risks if vendor-side changes or bugs affect servicing.
• Strengthen fallback and recovery plans for future critical updates: automated backups, image‑based recovery, and more aggressive test ring usage.

---

What to tell non‑technical stakeholders (clear messaging)​

• The organization is aware of a limited Windows 10 patching issue affecting certain activation methods and is actively triaging.
• Only devices using the Microsoft 365 subscription activation method are affected by this specific installation failure; other devices can be patched normally with appropriate testing.
• The technical team is pausing risky automatic deployments for the affected population to avoid causing instability and will apply a Microsoft‑supplied fix as soon as it becomes available.
• Compensating controls (network segmentation, monitoring) are deployed to mitigate immediate risk to sensitive systems.

---

Final assessment and risk outlook​

The immediate reality is twofold: Microsoft fixed the consumer ESU enrollment wizard quickly via an out‑of‑band update (improving access to ESU enrollment for consumer devices), but a separate installation failure affecting subscription‑activated devices installing KB5068781 remains under investigation and lacks a universal workaround.
Risk posture depends heavily on the organization’s activation model. Enterprises that use MAK or KMS activation are more likely to avoid the specific 0x800f0922 rollback behavior described for subscription activation. Organizations heavily reliant on Microsoft 365 subscription activation for Windows licensing must adopt a cautious stance: pause automatic rollouts of KB5068781 to subscription‑activated groups, inventory affected devices, and escalate with Microsoft support if patch compliance is mandatory for regulatory reasons.
The silver lining is that Microsoft has acknowledged and isolated the bug, and the company’s release‑health mechanism is documenting both the enrollment fix and the ongoing investigation into the KB5068781 install failures. However, until a formal remedial update is made available and validated, the safest posture is conservative deployment, thorough triage, and the use of compensating security controls to reduce exposure for devices that cannot successfully apply the ESU cumulative.

---

Appendix: Useful commands and checks (for quick copy/paste)​

• Confirm ESU licensing: Run in an elevated Command Prompt:
• slmgr.vbs /dlv
• Look for ESU Year‑1 (or equivalent) and License Status.
• Check Update history and failures:
• Settings → Update & Security → Windows Update → View update history
• Inspect %windir%\WindowsUpdate.log (or use Get-WindowsUpdateLog on older builds) and CBS logs at %windir%\Logs\CBS\CBS.log
• Manual update catalog install:
• Download the correct architecture package for KB5068781 or KB5071959 from the Microsoft Update Catalog.
• Test on a lab device first; do not mass deploy manual installs without pilot validation.
• Gather logs for Microsoft support:
• CBS logs from %windir%\Logs\CBS\CBS.log
• Windows Update client logs and Event Viewer entries referencing CBS_E_INSTALLERS_FAILED or 0x800f0922
• Activation and license details (slmgr output screens or SLMGR logs)

---

Microsoft’s ESU program is designed to be a narrow, practical bridge, not an indefinite replacement for a supported OS lifecycle. This first real‑world ESU deployment has exposed how licensing and activation vectors can intersect with update servicing in unexpected ways — a meaningful lesson for IT teams planning for future lifecycle transitions. While the enrollment wizard bug has been patched for consumers, the subscription activation installation failure remains a live issue that requires careful handling; until Microsoft issues and validates a fix, controlled deployment, rapid triage, and layered compensating controls are the prudent path forward.

---

Source: Windows Report Microsoft confirms Windows 10's first ESU update KB5068781 may fail with 0x800f0922 error code