Microsoft confirms that a lack of free space on the EFI System Partition can cause the May 2026 Patch Tuesday update to fail with error 0x800f0922, forcing administrators to apply work‑arounds or roll back the update. The issue raises compliance concerns for organisations subject to GDPR, CCPA and other data‑protection regimes that require timely security patching.
Windows boot partition shortage threatens May 2026 security update rollout
Microsoft has publicly acknowledged that the May 2026 security update may abort with the message “Something didn’t go as planned. Undoing changes.” The failure is tied to the EFI System Partition (ESP), the small volume that stores the boot loader. While Windows expects the ESP to be at least 200 MB, the update process aborts if the free space drops to 10 MB or less, returning error code 0x800f0922 during the reboot phase (approximately 35 % progress).
Legal basis for timely patching
Under the EU General Data Protection Regulation (GDPR), Article 32 obliges controllers and processors to implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. Failure to install critical security updates can be interpreted as a breach of that duty, exposing organisations to supervisory fines of up to €20 million or 4 % of global turnover.
Similarly, the California Consumer Privacy Act (CCPA) and the newer CPRA require reasonable security practices. While the statutes do not prescribe specific patch‑management timelines, a documented inability to apply a widely‑publicised security update could be deemed unreasonable, potentially triggering civil penalties of up to $7,500 per violation.
Who is affected?
- Enterprise customers running Windows 11 24H2 or 25H2 on managed devices. The issue appears on both consumer‑grade and non‑managed business machines, but corporate IT departments are the most exposed because they must demonstrate compliance during audits.
- Small‑to‑medium businesses that rely on default partition sizes and lack automated disk‑space monitoring. Many of these organisations will see the update fail silently, leaving systems vulnerable.
- Individual users whose PCs have accumulated data on the ESP (e.g., multiple boot managers, custom firmware). They may experience the same error without any corporate support.
Immediate work‑arounds
- Registry edit – Microsoft suggests adding the DWORD value
HKLM\SYSTEM\Setup\LabConfig\BypassSecureBootCheck = 1. This forces the installer to ignore the ESP size check, but it also disables a security safeguard, which may be unacceptable for regulated environments. - Known Issue Rollback (KIR) – Deploy the KIR group‑policy to revert the failing update and postpone installation until Microsoft releases a fix. The rollback itself is logged, so auditors can see that the organisation acted in good faith.
- Resize the ESP – Using tools such as DiskPart or third‑party partition managers, shrink an adjacent volume and extend the ESP beyond the 200 MB minimum. This is the most reliable fix but requires a reboot and careful planning to avoid data loss.
Compliance implications
- Documentation – Record the occurrence of error 0x800f0922, the chosen mitigation, and the timeline for applying the eventual fix. This evidence can mitigate liability if a data‑breach regulator later questions the delay.
- Risk assessment – Re‑evaluate the risk rating of the affected CVEs. If any of the 30 critical CVEs addressed in the May patch relate to remote code execution, the risk of non‑compliance escalates sharply.
- Notification obligations – Should a breach occur because the update was not applied, GDPR’s Article 33 requires notification to the supervisory authority within 72 hours. Having a documented mitigation plan can demonstrate that the organisation acted promptly.
What changes are coming?
Microsoft has indicated that a corrective update will be pushed automatically to consumer devices and to non‑managed business PCs. The company’s blog post titled “Improving Windows Quality” promises a revised installer that checks ESP free space earlier and aborts with a clearer remediation guide.
In the meantime, IT leaders should:
- Audit ESP sizes across the fleet.
- Implement monitoring alerts when free space falls below 20 MB.
- Review patch‑management policies to include ESP health as a prerequisite for update deployment.
Bottom line
A seemingly minor partition‑size issue can cascade into a compliance risk for any organisation that must keep Windows systems up to date. By treating the ESP as a critical component of the security‑patch pipeline—monitoring it, documenting any work‑arounds, and preparing for the forthcoming fix—companies can stay on the right side of GDPR, CCPA and other data‑protection frameworks while protecting their users from the vulnerabilities the May 2026 update is designed to fix.
Comments
Please log in or register to join the discussion