KB5089549 Installation Failure: Detecting Windows 11 Update Error 0x800f0922

Introduction

Microsoft has confirmed a significant deployment issue affecting the May 2026 security update for Windows 11, specifically KB5089549. System administrators are reporting that the cumulative update fails to install on various endpoints, returning the specific error code 0x800f0922.

For defenders, this is more than a nuisance; it is a visibility gap. Failed updates leave assets exposed to the vulnerabilities that KB5089549 was designed to patch. If your automated patching solutions are silently retrying or skipping this KB due to persistent failures, you have a latent risk in your environment. We need to identify which systems have not successfully integrated this update and force remediation before attackers leverage the underlying flaws.

Technical Analysis

Affected Product: Windows 11 (All versions, specifically 23H2 and 24H2)
Update ID: KB5089549
Error Code: 0x800f0922

The Failure Mechanism The error 0x800f0922 typically indicates that the client failed to connect to the Windows Update server or, more critically in this context, that the system’s Component-Based Servicing (CBS) store is corrupted or the reserved system partition is too small to hold the update files.

Unlike remote code execution vulnerabilities, this is an availability/integrity issue within the update mechanism itself. The "attack surface" here is the administrative gap where security teams assume compliance based on patch deployment initiation rather than successful installation. If the update fails, the CVEs addressed in this May 2026 release remain exploitable on the host.

Exploitation Status While this is a patching failure rather than an active exploit, it is a prerequisite for exploitability of the patched CVEs. There is no "malware" signature to catch, but the operational impact is high: unpatched systems.

Detection & Response

Detecting a failed update requires moving beyond "patch initiated" logs. We must verify the presence of the update package artifacts in the registry and the file system, or hunt for the specific error codes in update logs.

SIGMA Rules

YAML

---
title: Windows 11 KB5089549 Registry Presence Check
id: 9c8f7a1b-2e3d-4f5a-9b8c-1d2e3f4a5b6c
status: experimental
description: Detects the presence of KB5089549 package keys in the registry to verify successful installation.
references:
  - https://support.microsoft.com/en-us/topic/kb5089549
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  product: windows
  category: registry_add
detection:
  selection:
    TargetObject|contains: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages'
    TargetObject|contains: 'KB5089549'
  condition: selection
falsepositives:
  - None
level: critical
---
title: Windows Update Agent Installation Failure 0x800f0922
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects events in Setup/Update logs indicating a failure to install updates with error 0x800f0922.
references:
  - https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.impact
  - attack.t1499
logsource:
  product: windows
  service: setup  # Using generic setup/operational logs
detection:
  selection:
    Message|contains:
      - 'KB5089549'
      - '0x800f0922'
  condition: selection
falsepositives:
  - Retried successful installations after initial failure
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for devices reporting the specific failure code or lacking the hotfix entry in standard inventory tables.

KQL — Microsoft Sentinel / Defender

// Hunt for KB5089549 Installation Failures or Absence
let KBName = "KB5089549";
// Check Update table for installation failures
let UpdateFailures = DeviceEvents
| where ActionType == "WindowsUpdateInstallationFailure"
| where AdditionalFields contains KBName
| where AdditionalFields contains "0x800f0922";
// Check UpdateSummary for compliance
let NonCompliant = UpdateSummary
| where UpdateTitle contains KBName
| where Classification == "Security Updates"
| where Optional != "true"
| where isnull(UpdateTime); // Assuming null means not installed
union UpdateFailures, NonCompliant
| project DeviceName, ActionType, UpdateTitle, AdditionalFields, Timestamp
| summarize count() by DeviceName

Velociraptor VQL

Velociraptor can query the WMI database directly or check the registry to confirm if the patch is actually present on the endpoint.

VQL — Velociraptor

-- Hunt for presence of KB5089549 using WMI
SELECT 
  OSName,
  HotFixID,
  InstalledOn,
  Description
FROM wmi(
  query="SELECT * FROM Win32_QuickFixEngineering WHERE HotFixID = 'KB5089549'",
  namespace="root\cimv2")
-- If no results returned, the system is missing the patch

Remediation Script (PowerShell)

This script checks for the KB, attempts to repair the Component Store (common cause for 0x800f0922), and forces an update retry. It should be run with administrative privileges.

PowerShell

# Remediation Script for KB5089549 (Error 0x800f0922)
$KBNumber = "KB5089549"
Write-Host "[+] Checking for $KBNumber installation status..."

$Patch = Get-HotFix -Id $KBNumber -ErrorAction SilentlyContinue

if (-not $Patch) {
    Write-Host "[!] $KBNumber is NOT installed. Attempting remediation..." -ForegroundColor Yellow

    # 1. Repair System Files and Component Store (Resolves 0x800f0922 corruption issues)
    Write-Host "[*] Running DISM /RestoreHealth..."
    Start-Process -FilePath "dism.exe" -ArgumentList "/online /cleanup-image /restorehealth" -NoNewWindow -Wait

    Write-Host "[*] Running SFC /scannow..."
    Start-Process -FilePath "sfc.exe" -ArgumentList "/scannow" -NoNewWindow -Wait

    # 2. Reset Windows Update Components (optional but often required for 0x800f0922)
    Write-Host "[*] Stopping Windows Update Services..."
    Stop-Service -Name wuauserv -Force -ErrorAction SilentlyContinue
    Stop-Service -Name bits -Force -ErrorAction SilentlyContinue
    Stop-Service -Name cryptsvc -Force -ErrorAction SilentlyContinue

    # 3. Force Update Detection Cycle
    Write-Host "[*] Starting Windows Update Services and triggering detection..."
    Start-Service -Name wuauserv -ErrorAction SilentlyContinue
    Start-Service -Name bits -ErrorAction SilentlyContinue
    Start-Service -Name cryptsvc -ErrorAction SilentlyContinue
    
    # Trigger detection using USOClient (Windows 10/11)
    try {
        Start-Process "C:\Windows\System32\usoclient.exe" -ArgumentList "StartScan" -ErrorAction Stop
        Write-Host "[+] Update scan triggered. Please check Windows Update for installation status." -ForegroundColor Green
    } catch {
        Write-Host "[!] Failed to trigger scan. Please manually check Windows Update." -ForegroundColor Red
    }

} else {
    Write-Host "[+] $KBNumber is already installed. Installed On: $($Patch.InstalledOn)" -ForegroundColor Green
}

Remediation

Verify Patch Status: Do not rely on SCCM/Intune "deployment success" reports. Use the PowerShell script above to verify the Get-HotFix data directly on endpoints.
Address Component Store Corruption: The primary cause of 0x800f0922 in cumulative updates is a corrupted CBS store. Running DISM /RestoreHealth is the most effective technical remediation.
Check Partition Sizes: Ensure the System Reserved Partition (SRP) has sufficient free space. Microsoft advises that full SRPs can trigger this specific error.
Manual Install: If automation fails, download the KB5089549 MSU package from the Microsoft Update Catalog and deploy it via standalone wusa.exe or your RMM tool.
Official Advisory: Monitor Microsoft Health Dashboard for official fixes or workaround packages released by Microsoft to address this installation bug.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub