Microsoft released the May 26, 2026 Windows 11 non-security preview update, KB5089573, for Windows 11 versions 24H2 and 25H2, bringing OS builds 26100.8524 and 26200.8524 while documenting a rollback-prone installation failure tied to cramped EFI System Partitions. That pairing is the real story: Microsoft is shipping useful quality improvements while also reminding administrators that Windows servicing still depends on old, small, often-ignored boot partitions. The update is optional, but the issue it exposes is not exotic. It is the sort of low-level maintenance debt that only becomes visible when an update gets far enough into reboot-time servicing to fail loudly.
KB5089573 is a preview update, which means it is not the monthly Patch Tuesday security payload that administrators are conditioned to treat as urgent. Preview updates are where Microsoft places non-security fixes, feature refinements, and early access to changes that will usually become part of a later cumulative update. For enthusiasts, they are a glimpse into what Windows 11 is becoming; for enterprise IT, they are a staging lane.
This month’s preview fits that pattern. It includes production-quality improvements for Windows 11 24H2 and 25H2, arrives through Microsoft’s usual staged rollout machinery, and can be obtained through Windows Update, the Microsoft Update Catalog, and enterprise servicing channels. On paper, it is a routine late-month Windows update.
But the known issue attached to it is anything but routine for the people who hit it. Microsoft says some devices may fail to complete installation with error code 0x800f0922 after installing KB5089549, the May 2026 security update, particularly when the EFI System Partition has very little free space. The failure appears during the restart phase around 35–36 percent, after Windows has already done enough work to make the user think the update is nearly committed.
That is why this bug matters beyond the specific KB number. Windows Update failures are often described as if they are generic gremlins, but this one has a clear physical constraint behind it: the boot partition may simply not have enough room for what servicing wants to do. In a modern Windows estate, that turns a hidden partition into a fleet reliability variable.
That invisibility is part of the problem. OEMs, deployment tools, recovery environments, disk cloning utilities, Linux dual-boot setups, and third-party security products can all leave their fingerprints around the boot path. Microsoft’s own known-issue text points to CBS log entries showing space used by third-party or OEM files outside Microsoft boot directories, which is a polite way of saying the ESP can become a shared junk drawer.
Microsoft specifically calls out devices with 10 MB or less available on the ESP as especially vulnerable. That is a tiny number, but it is also exactly the kind of number that can exist unnoticed for years. The main Windows volume may have hundreds of gigabytes free while the boot partition has been quietly packed to the rafters.
The failure pattern is also revealing. The update can appear to install successfully in the initial phases, then fail during restart and roll back with the familiar “Something didn’t go as planned. Undoing changes.” This is the servicing equivalent of discovering the bridge is out only after the convoy has already started crossing.
That specificity is useful. Administrators can stop treating the failure as a vague Windows Update tantrum and start looking at partition health, CBS logs, and boot file servicing. The log entries Microsoft highlights — “SpaceCheck: Insufficient free space” and “ServicingBootFiles failed. Error = 0x70” — give support teams something more actionable than a screenshot of a rollback screen.
The 35–36 percent failure point will also be familiar to anyone who has watched cumulative updates crawl through reboot phases. Percentages in Windows servicing are not precise diagnostic milestones, but repeated failures at the same stage can tell an experienced admin where to look. Here, Microsoft has drawn the map: the servicing stack is getting to boot-file work and finding the ESP too tight.
For home users, the practical message is more modest. If the May 2026 update rolls back with 0x800f0922, retrying indefinitely is unlikely to be the winning strategy. The failure may not be because Windows Update downloaded a corrupt package or because Microsoft’s servers had a bad afternoon. The problem may be local, persistent, and sitting in a partition File Explorer does not show.
That is a legitimate workaround, but it is not one casual users should treat as magic paste from a forum thread. Microsoft warns that incorrect registry editing can cause serious system problems, and that warning is not boilerplate when the affected component is tied to boot servicing. A typo in the wrong place can turn a failed update into a harder recovery exercise.
The wording also matters. This workaround allows the update to install by modifying an ESP registry setting; it does not enlarge the partition or clean up whatever filled it. If the ESP is crowded because of stale OEM files, redundant bootloaders, abandoned recovery tools, or third-party additions, the underlying housekeeping problem remains.
For enthusiasts and technicians, the registry workaround will be tempting because it is quick. Open an elevated Command Prompt, add the value, reboot, and try again. But in managed environments, speed is not the only variable. A workaround that changes boot-servicing behavior may be acceptable for a small number of known devices and less appealing as a blanket policy across thousands of endpoints.
For enterprise-managed devices, the story is more manual. Administrators need the special Group Policy for Windows 11 24H2 and 25H2, install and configure it, then restart affected devices. Microsoft says the policy temporarily disables the change that causes the issue.
This difference between consumer and managed devices is deliberate. Microsoft can move quickly for unmanaged machines because it controls more of the update path. Enterprises, by contrast, often block, defer, stage, approve, and audit changes. That control is the whole point of enterprise servicing, but it also means mitigations need administrative deployment rather than silent arrival.
KIR is one of the more important Windows servicing technologies of the last several years because it acknowledges a reality Microsoft once seemed reluctant to say out loud: cumulative updates can break things even when the code passed testing. Rolling back a narrow change is better than telling everyone to uninstall a cumulative update or wait a month. But KIR also means administrators must understand which failures are caused by newly introduced update behavior and which are symptoms of older local configuration debt.
Shared Audio is the consumer-friendly feature in the bunch. It uses Bluetooth LE Audio broadcast technology so two people can listen to audio from the same Windows 11 PC at the same time, provided the hardware supports the necessary stack. That is not going to transform enterprise computing, but it is the kind of quality-of-life feature that makes laptops feel less rigid and more appliance-like.
Task Manager’s NPU visibility is more strategically interesting. Microsoft has spent the last two years pushing the idea of the AI PC, but administrators and power users need instrumentation, not slogans. If Windows is going to schedule AI workloads across CPUs, GPUs, and NPUs, then Task Manager needs to show where those workloads actually run.
The camera changes are similarly practical. Multi-App Camera mode allows multiple applications to access the camera stream at the same time, while Basic Camera mode offers a simplified path for troubleshooting or stability. The fact that enterprise admins can configure these modes through Group Policy suggests Microsoft expects camera behavior to be more than a consumer convenience; in hybrid work, classroom deployments, kiosks, and secure environments, camera access is policy.
The Windows Setup change is smaller but overdue: users can choose a custom name for the user folder on the Device Name page during setup. Anyone who has watched Windows derive a profile folder name from a Microsoft account identity will understand the appeal. It is a minor control, but minor controls matter when they remove a longstanding annoyance.
Secure Boot certificate maintenance is not glamorous. It is firmware-facing, timing-sensitive, and easy to postpone because nothing looks broken until the wrong day arrives. Microsoft’s warning is therefore less a footnote than a calendar flare: the boot chain is becoming a more active servicing surface.
That matters because Windows security increasingly relies on hardware-rooted trust. Secure Boot, measured boot, BitLocker, virtualization-based security, Windows Hello Enhanced Sign-in Security, and other features all assume that the system’s earliest startup stages are healthy and predictable. A neglected ESP or stale boot trust configuration can become an operational problem even when Windows itself appears well maintained.
Administrators should resist treating the ESP bug and Secure Boot certificate warning as unrelated trivia. They point toward the same operational truth: endpoint management cannot stop at the visible OS volume. The boot environment is now part of the patch management story.
That inconsistency is hard to see from the center. Endpoint management dashboards usually report OS version, update compliance, disk encryption state, and security posture. They do not always make it obvious that one model line has a tiny ESP with OEM leftovers while another has plenty of room.
This is where the May 2026 issue becomes a useful diagnostic event. If a subset of devices fails with 0x800f0922 and CBS logs show ESP space problems, that is not just an update incident. It is evidence that the organization’s deployment baseline has drifted.
The temptation will be to apply the KIR policy, get compliance numbers green again, and move on. That may be rational in the short term, especially if business operations are blocked. But IT teams should also inventory affected hardware, determine ESP sizes and free space, and identify whether specific OEM images or deployment eras are overrepresented.
A good Windows estate is not merely patched. It is patchable. This incident draws a bright line between those two states.
Still, automatic mitigation does not mean the device is pristine. If the ESP has 10 MB or less free, the machine is living with a narrow margin. Another future update, bootloader change, firmware-related operation, or security transition could run into the same constraint in a different form.
For technically comfortable users, the right next step is not necessarily to start deleting files from the ESP. That partition is sensitive, and casual cleanup can make a system unbootable. The safer path is to confirm the failure pattern, check whether the KIR has applied after a restart, and use Microsoft’s documented workaround only if appropriate.
For everyone else, the most practical advice is boring but sound: back up important data before repeated update attempts, avoid random registry files or partition scripts from untrusted sources, and be cautious about “one-click” repair utilities that promise to fix boot partitions. The cure for an update rollback should not be a boot failure.
Preview updates are supposed to help with this. They expose non-security changes before the next security release, giving Microsoft telemetry and giving administrators a test window. But that model only works if organizations actually test against representative devices, including messy real-world endpoints rather than pristine lab images.
KB5089573 also illustrates how Microsoft’s release notes have become part product brochure, part support bulletin, and part operational warning system. In the same document, users get Shared Audio, NPU Task Manager columns, Secure Boot certificate warnings, servicing stack details, and a known issue about failed update installation. That is a lot of responsibility for one support page.
The practical effect is that Windows admins must read preview-update notes less like changelogs and more like risk briefings. The feature list tells you what Microsoft wants to advance. The known issues tell you where the operating system’s assumptions are colliding with the installed base.
Microsoft’s mitigations split cleanly by audience. Consumers and unmanaged business users should benefit from automatic KIR propagation, while enterprise administrators must use the matching Group Policy for Windows 11 24H2 and 25H2 if their update management setup blocks automatic rollback behavior. The registry workaround exists, but it deserves change-control discipline.
The update itself remains optional. Users who do not need the preview fixes can wait for the next security update cycle, when Microsoft says a future resolution is expected. But waiting does not make a cramped ESP roomier, and that is the uncomfortable part.
Microsoft’s Optional Update Carries a Mandatory Lesson
KB5089573 is a preview update, which means it is not the monthly Patch Tuesday security payload that administrators are conditioned to treat as urgent. Preview updates are where Microsoft places non-security fixes, feature refinements, and early access to changes that will usually become part of a later cumulative update. For enthusiasts, they are a glimpse into what Windows 11 is becoming; for enterprise IT, they are a staging lane.This month’s preview fits that pattern. It includes production-quality improvements for Windows 11 24H2 and 25H2, arrives through Microsoft’s usual staged rollout machinery, and can be obtained through Windows Update, the Microsoft Update Catalog, and enterprise servicing channels. On paper, it is a routine late-month Windows update.
But the known issue attached to it is anything but routine for the people who hit it. Microsoft says some devices may fail to complete installation with error code 0x800f0922 after installing KB5089549, the May 2026 security update, particularly when the EFI System Partition has very little free space. The failure appears during the restart phase around 35–36 percent, after Windows has already done enough work to make the user think the update is nearly committed.
That is why this bug matters beyond the specific KB number. Windows Update failures are often described as if they are generic gremlins, but this one has a clear physical constraint behind it: the boot partition may simply not have enough room for what servicing wants to do. In a modern Windows estate, that turns a hidden partition into a fleet reliability variable.
The EFI Partition Is the Tiny Room Windows Keeps Reusing
The EFI System Partition, or ESP, is not where most users look when they think about disk space. Windows users check the C: drive, clean temporary files, remove downloads, or uninstall games. The ESP sits out of sight, holding boot-related files that firmware needs before Windows itself is running.That invisibility is part of the problem. OEMs, deployment tools, recovery environments, disk cloning utilities, Linux dual-boot setups, and third-party security products can all leave their fingerprints around the boot path. Microsoft’s own known-issue text points to CBS log entries showing space used by third-party or OEM files outside Microsoft boot directories, which is a polite way of saying the ESP can become a shared junk drawer.
Microsoft specifically calls out devices with 10 MB or less available on the ESP as especially vulnerable. That is a tiny number, but it is also exactly the kind of number that can exist unnoticed for years. The main Windows volume may have hundreds of gigabytes free while the boot partition has been quietly packed to the rafters.
The failure pattern is also revealing. The update can appear to install successfully in the initial phases, then fail during restart and roll back with the familiar “Something didn’t go as planned. Undoing changes.” This is the servicing equivalent of discovering the bridge is out only after the convoy has already started crossing.
Error 0x800f0922 Gets a More Concrete Culprit
Error code 0x800f0922 has long been one of those Windows Update messages that sends users into search-engine purgatory. It has been associated with servicing failures, reserved partition problems, .NET components, VPN interference, and other causes depending on the update and machine. In this case, Microsoft is being unusually specific: the ESP does not have enough free space for the servicing operation.That specificity is useful. Administrators can stop treating the failure as a vague Windows Update tantrum and start looking at partition health, CBS logs, and boot file servicing. The log entries Microsoft highlights — “SpaceCheck: Insufficient free space” and “ServicingBootFiles failed. Error = 0x70” — give support teams something more actionable than a screenshot of a rollback screen.
The 35–36 percent failure point will also be familiar to anyone who has watched cumulative updates crawl through reboot phases. Percentages in Windows servicing are not precise diagnostic milestones, but repeated failures at the same stage can tell an experienced admin where to look. Here, Microsoft has drawn the map: the servicing stack is getting to boot-file work and finding the ESP too tight.
For home users, the practical message is more modest. If the May 2026 update rolls back with 0x800f0922, retrying indefinitely is unlikely to be the winning strategy. The failure may not be because Windows Update downloaded a corrupt package or because Microsoft’s servers had a bad afternoon. The problem may be local, persistent, and sitting in a partition File Explorer does not show.
The Registry Workaround Is a Scalpel, Not a Household Tool
Microsoft’s first workaround is to add a registry value underHKLM\SYSTEM\CurrentControlSet\Control\Bfsvc, setting EspPaddingPercent to 0, then restart and retry the update. In plain English, Microsoft is telling affected systems to relax the padding requirement used during ESP space checks so the update can proceed.That is a legitimate workaround, but it is not one casual users should treat as magic paste from a forum thread. Microsoft warns that incorrect registry editing can cause serious system problems, and that warning is not boilerplate when the affected component is tied to boot servicing. A typo in the wrong place can turn a failed update into a harder recovery exercise.
The wording also matters. This workaround allows the update to install by modifying an ESP registry setting; it does not enlarge the partition or clean up whatever filled it. If the ESP is crowded because of stale OEM files, redundant bootloaders, abandoned recovery tools, or third-party additions, the underlying housekeeping problem remains.
For enthusiasts and technicians, the registry workaround will be tempting because it is quick. Open an elevated Command Prompt, add the value, reboot, and try again. But in managed environments, speed is not the only variable. A workaround that changes boot-servicing behavior may be acceptable for a small number of known devices and less appealing as a blanket policy across thousands of endpoints.
Known Issue Rollback Shows Microsoft’s New Update Philosophy
The second mitigation is Known Issue Rollback, or KIR, Microsoft’s mechanism for disabling problematic non-security changes after release without requiring a full new update package for every affected machine. Microsoft says the mitigation has already propagated automatically to consumer devices and non-managed business devices, with a restart potentially helping it apply faster. That is the modern Windows servicing bargain: cloud-delivered rollback logic can quiet a bug before many users ever learn its name.For enterprise-managed devices, the story is more manual. Administrators need the special Group Policy for Windows 11 24H2 and 25H2, install and configure it, then restart affected devices. Microsoft says the policy temporarily disables the change that causes the issue.
This difference between consumer and managed devices is deliberate. Microsoft can move quickly for unmanaged machines because it controls more of the update path. Enterprises, by contrast, often block, defer, stage, approve, and audit changes. That control is the whole point of enterprise servicing, but it also means mitigations need administrative deployment rather than silent arrival.
KIR is one of the more important Windows servicing technologies of the last several years because it acknowledges a reality Microsoft once seemed reluctant to say out loud: cumulative updates can break things even when the code passed testing. Rolling back a narrow change is better than telling everyone to uninstall a cumulative update or wait a month. But KIR also means administrators must understand which failures are caused by newly introduced update behavior and which are symptoms of older local configuration debt.
The Preview Update Still Brings Real Windows 11 Changes
It would be easy to let the ESP failure swallow the whole update, but KB5089573 also contains the sort of incremental Windows 11 work Microsoft now ships continuously. The highlights include Shared Audio, changes to Magnifier, improved Task Manager visibility for neural processing unit usage, camera policy controls, Windows Setup refinements, and general performance improvements for app launch and core shell experiences.Shared Audio is the consumer-friendly feature in the bunch. It uses Bluetooth LE Audio broadcast technology so two people can listen to audio from the same Windows 11 PC at the same time, provided the hardware supports the necessary stack. That is not going to transform enterprise computing, but it is the kind of quality-of-life feature that makes laptops feel less rigid and more appliance-like.
Task Manager’s NPU visibility is more strategically interesting. Microsoft has spent the last two years pushing the idea of the AI PC, but administrators and power users need instrumentation, not slogans. If Windows is going to schedule AI workloads across CPUs, GPUs, and NPUs, then Task Manager needs to show where those workloads actually run.
The camera changes are similarly practical. Multi-App Camera mode allows multiple applications to access the camera stream at the same time, while Basic Camera mode offers a simplified path for troubleshooting or stability. The fact that enterprise admins can configure these modes through Group Policy suggests Microsoft expects camera behavior to be more than a consumer convenience; in hybrid work, classroom deployments, kiosks, and secure environments, camera access is policy.
The Windows Setup change is smaller but overdue: users can choose a custom name for the user folder on the Device Name page during setup. Anyone who has watched Windows derive a profile folder name from a Microsoft account identity will understand the appeal. It is a minor control, but minor controls matter when they remove a longstanding annoyance.
Secure Boot Looms Over the Same Terrain
KB5089573 also carries a warning about Secure Boot certificates used by most Windows devices expiring starting in June 2026. That is a separate issue from the ESP installation failure, but the two belong in the same mental folder. Both involve the pre-Windows trust and boot environment that most users never inspect and many organizations only touch during deployment or crisis.Secure Boot certificate maintenance is not glamorous. It is firmware-facing, timing-sensitive, and easy to postpone because nothing looks broken until the wrong day arrives. Microsoft’s warning is therefore less a footnote than a calendar flare: the boot chain is becoming a more active servicing surface.
That matters because Windows security increasingly relies on hardware-rooted trust. Secure Boot, measured boot, BitLocker, virtualization-based security, Windows Hello Enhanced Sign-in Security, and other features all assume that the system’s earliest startup stages are healthy and predictable. A neglected ESP or stale boot trust configuration can become an operational problem even when Windows itself appears well maintained.
Administrators should resist treating the ESP bug and Secure Boot certificate warning as unrelated trivia. They point toward the same operational truth: endpoint management cannot stop at the visible OS volume. The boot environment is now part of the patch management story.
Enterprise IT Should Read This as a Deployment Smell
The most vulnerable organizations are not necessarily the ones with the oldest machines. They are the ones with the least visibility into how their endpoints were partitioned, imaged, repaired, and modified over time. A fleet built from multiple OEM images, upgraded through several Windows versions, touched by different recovery tools, and joined to different management regimes may have wildly inconsistent ESP layouts.That inconsistency is hard to see from the center. Endpoint management dashboards usually report OS version, update compliance, disk encryption state, and security posture. They do not always make it obvious that one model line has a tiny ESP with OEM leftovers while another has plenty of room.
This is where the May 2026 issue becomes a useful diagnostic event. If a subset of devices fails with 0x800f0922 and CBS logs show ESP space problems, that is not just an update incident. It is evidence that the organization’s deployment baseline has drifted.
The temptation will be to apply the KIR policy, get compliance numbers green again, and move on. That may be rational in the short term, especially if business operations are blocked. But IT teams should also inventory affected hardware, determine ESP sizes and free space, and identify whether specific OEM images or deployment eras are overrepresented.
A good Windows estate is not merely patched. It is patchable. This incident draws a bright line between those two states.
Home Users Get the Softer Landing, but Not a Free Pass
Microsoft says consumer devices and non-managed business devices should receive the KIR mitigation automatically. That is good news for the average Windows 11 user, who should not be expected to understand ESP padding, CBS logs, or Group Policy packages. A restart may be enough to help the mitigation apply.Still, automatic mitigation does not mean the device is pristine. If the ESP has 10 MB or less free, the machine is living with a narrow margin. Another future update, bootloader change, firmware-related operation, or security transition could run into the same constraint in a different form.
For technically comfortable users, the right next step is not necessarily to start deleting files from the ESP. That partition is sensitive, and casual cleanup can make a system unbootable. The safer path is to confirm the failure pattern, check whether the KIR has applied after a restart, and use Microsoft’s documented workaround only if appropriate.
For everyone else, the most practical advice is boring but sound: back up important data before repeated update attempts, avoid random registry files or partition scripts from untrusted sources, and be cautious about “one-click” repair utilities that promise to fix boot partitions. The cure for an update rollback should not be a boot failure.
Microsoft’s Update Cadence Keeps Moving the Risk Forward
The broader tension is that Microsoft is shipping Windows as a continuously changing platform, while many PCs still carry partition decisions made years ago. That mismatch will keep producing odd failures. A small boot partition created by an OEM image in one era can become a constraint in another.Preview updates are supposed to help with this. They expose non-security changes before the next security release, giving Microsoft telemetry and giving administrators a test window. But that model only works if organizations actually test against representative devices, including messy real-world endpoints rather than pristine lab images.
KB5089573 also illustrates how Microsoft’s release notes have become part product brochure, part support bulletin, and part operational warning system. In the same document, users get Shared Audio, NPU Task Manager columns, Secure Boot certificate warnings, servicing stack details, and a known issue about failed update installation. That is a lot of responsibility for one support page.
The practical effect is that Windows admins must read preview-update notes less like changelogs and more like risk briefings. The feature list tells you what Microsoft wants to advance. The known issues tell you where the operating system’s assumptions are colliding with the installed base.
The 35 Percent Rollback Is Telling Admins Where to Look
The concrete lesson from KB5089573 is not that everyone should panic about the May preview update. It is that a Windows Update failure during reboot can be a storage problem in a partition many tools hide by default. The rollback message is generic, but the underlying condition is measurable.Microsoft’s mitigations split cleanly by audience. Consumers and unmanaged business users should benefit from automatic KIR propagation, while enterprise administrators must use the matching Group Policy for Windows 11 24H2 and 25H2 if their update management setup blocks automatic rollback behavior. The registry workaround exists, but it deserves change-control discipline.
The update itself remains optional. Users who do not need the preview fixes can wait for the next security update cycle, when Microsoft says a future resolution is expected. But waiting does not make a cramped ESP roomier, and that is the uncomfortable part.
The May Preview’s Message Is Written in Boot Files
KB5089573 is best read as a normal Windows 11 preview update with an abnormal amount of operational signal attached.- The May 26, 2026 preview update applies to Windows 11 versions 24H2 and 25H2 and advances systems to builds 26100.8524 and 26200.8524.
- The documented installation failure is tied to the May 2026 security update KB5089549 and is most likely on devices with 10 MB or less free on the EFI System Partition.
- Affected systems may fail around 35–36 percent during restart, roll back the update, and report error code 0x800f0922.
- Microsoft’s consumer-side mitigation uses Known Issue Rollback, while enterprise-managed devices need a specific Group Policy package and a restart.
- The registry workaround can allow installation by changing ESP padding behavior, but it should be treated as a controlled administrative fix rather than casual troubleshooting.
- The same release also advances Windows 11 features such as Shared Audio, NPU reporting in Task Manager, camera policy controls, setup refinements, and performance improvements.
References
- Primary source: Microsoft - Message Center
Published: 2026-05-26 10:00 PT
May 26, 2026—KB5089573 (OS Builds 26200.8524 and 26100.8524) Preview - Microsoft Support
support.microsoft.com
