Event Viewer Archives

Winsage

June 1, 2026

Microsoft confirms Windows 11 update is failing on some PCs, explains if you need a workaround

Microsoft has identified the root cause of installation issues related to the May 2026 update for Windows operating system and is rolling out a solution through an optional update, KB5089573. The May 12, 2026, Patch Tuesday update (KB5089549) introduced enhancements but many users faced installation failures due to error code “0x800f0922,” indicating insufficient space on the EFI System Partition (ESP). The ESP is critical for boot files and typically occupies around 256MB. Users can check ESP storage using a specific command. Low ESP space can lead to update failures, particularly when it drops below 10MB. Microsoft has rolled back problematic code and provided a fix in the optional update KB5089573, which resolves ESP space issues and ensures future updates will proceed smoothly. Users are encouraged to install this update or wait for the next scheduled Patch Tuesday update on June 9, 2026.

Winsage

May 17, 2026

Microsoft confirms Windows 11 KB5089549 issues due to low storage, says it’s rolling out an emergency patch to fix install errors

Microsoft has acknowledged an issue with the installation of Windows 11’s May 2026 Update (KB5089549), which has been encountering errors such as 0x800f0922, 0x80240069, and 0x80240031. An emergency server-side update is being implemented to resolve these installation hurdles. The KB5089549 update is mandatory and intended to install automatically on compatible PCs, but some users have reported difficulties, including installation stalling around 35-36%, leading to a rollback with a message stating, “something didn’t go as planned. Undoing changes.” Investigations reveal that installation failures are particularly affecting devices with limited EFI partition space, with error code 0x800f0922 indicating insufficient free space and potential conflicts with third-party files. The EFI System Partition (ESP) typically occupies no more than 100MB and can become congested due to leftover files, causing installation failures when available space is low. Users with less than 10MB of free EFI storage may face additional complications. A PowerShell command can be used to check EFI storage status. Microsoft has advised users to consider increasing the size of the ESP by modifying the Windows Registry, although the recent server-side update may have already addressed the issue. The Known Issue Rollback (KIR) has been implemented, automatically propagating the resolution to devices. Users are encouraged to restart their devices to expedite the application of the fix, and there are no additional bugs reported.

Winsage

May 7, 2026

My Windows 11 backup broke after KB5083769 — Microsoft says this simple fix might save your files

The Windows 11 security update KB5083769, released on April 14, 2026, introduces changes to the psmounterex.sys driver, causing compatibility issues with third-party backup solutions such as Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup. Microsoft states this is a necessary security adjustment, not a bug. The update also adds known vulnerable kernel drivers to a blocklist to enhance system security. Users can check if a driver is blocked by using the Event Viewer and looking for Event ID 3077 associated with a specific Policy ID.

Winsage

May 5, 2026

April 2026 Windows Update Breaks Third-Party Backup Software by Blocking Vulnerable Driver

Microsoft will include the psmounterex.sys driver in its Vulnerable Driver Blocklist in the April 2026 security update, affecting third-party backup applications that use this driver for image mounting and Volume Shadow Copy Service (VSS) snapshots. This decision addresses CVE-2023-43896, a critical buffer overflow vulnerability. Affected software includes Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup on Windows 11, Windows 10, and Windows Server platforms. Users may face issues during image-mount operations, receiving error messages related to VSS timeouts and Code Integrity errors in the Event Viewer. To check if a system is affected, users can look for Event ID 3077 in the Code Integrity Operational log. Microsoft recommends upgrading to newer versions of backup applications that do not use blocked drivers and advises against uninstalling or delaying the April update. Additionally, the update may cause certain Windows Server 2025 devices to boot into BitLocker recovery mode and has led to out-of-band updates for Windows Server update failures and restart loops on domain controllers.

Winsage

May 4, 2026

Microsoft confirms April Windows updates cause backup failures

Microsoft has acknowledged that the April 2026 security updates have disrupted the functionality of various third-party backup applications using the psmounterex.sys driver, raising concerns among users. The issue primarily affects software leveraging the Volume Shadow Copy Service (VSS) snapshots, leading to failures due to VSS service timeouts. Notable impacted products include Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup, used on Windows 11, Windows Server, and Windows 10 devices. Disruptions can manifest as failures to mount backup image files, errors or timeouts when browsing or restoring from backup images, and error messages related to VSS timeouts. Microsoft updated its support documentation to clarify that the April updates included a security hardening change that added psmounterex.sys to the vulnerable driver blocklist to protect against a high-severity buffer overflow vulnerability (CVE-2023-43896). Affected users are advised to upgrade to newer application versions with updated drivers and not to uninstall or pause the security update. Users can check if the Microsoft Vulnerable Driver Blocklist is blocking a driver by looking for Event ID 3077 in the Code Integrity Operational log. Additionally, Microsoft has alerted users that some Windows Server 2025 devices may boot into BitLocker recovery mode after installing the KB5082063 update and has issued out-of-band updates to address installation failures and restart loops affecting Windows Server systems after the April 2026 updates.

Winsage

April 28, 2026

I investigated Windows 11’s massive 5GB monthly .msu updates. AI is only part of the problem.

Windows 11 updates have significantly increased in size, with monthly cumulative updates often exceeding 4GB and some approaching 5GB. One update can expand to nearly 9GB when extracted. Microsoft has shifted to delivering Latest Cumulative Updates (LCUs), which include all previous fixes, leading to larger update sizes over time. The introduction of Checkpoint Cumulative Updates aims to reduce this growth by establishing periodic baselines, but the effectiveness has been mixed. The May 2025 cumulative update saw a size increase from approximately 6.5GB to nearly 9GB, with new MSIX files related to semantic search and on-device AI contributing to this growth. Windows Update uses applicability logic to minimize download sizes for users, but enterprises must download full packages, resulting in increased storage costs. The average yearly storage cost for enterprises rose from about 11 GB in 2024 to 52 GB by 2026. Users can check their actual download sizes through the Windows Update settings and Event Viewer logs.

Winsage

April 22, 2026

Microsoft Changes Windows Security After 15 Years—Update By ‘End Of April’

Microsoft is set to expire the Secure Boot authentication certificates that protect Windows PCs from threats upon each restart, with this initiative beginning in April 2023. The update will install new certificates and confirm if user action is necessary, with all devices expected to have the update by the end of April 2026. Users can check their Secure Boot status in Windows Security, where a badge system indicates the status. If the certificates expire, users may be at risk of boot-level malware. Microsoft is enhancing visibility of Secure Boot certificate status to aid user awareness. Users should check their PC by the end of the month to ensure it is updated.

Winsage

April 22, 2026

Microsoft Changes Windows Security After 15 Years—Update By ‘End Of April’

Microsoft is updating the Secure Boot certificates for Windows PCs, which have been in place since 2011. This update will begin with the April security patch rollout and is expected to be fully deployed across PCs by the end of April 2026. Users can check the status of the Secure Boot update by navigating to Windows Security > Device security > Secure Boot, where a color-coded badge will indicate the current status. The update will install new certificates and confirm if user action is necessary. If the badge is red, immediate attention is required. Microsoft is enhancing the visibility of the Secure Boot certificate status within Windows Security to aid users in verifying the update. The certificates will not expire for several more weeks, so users should check their systems by the end of the month.

Winsage

April 17, 2026

What to do when device settings don’t migrate to Windows 11

On October 10, 2025, Microsoft ceased support for Windows 10, ending technical assistance, feature updates, and security updates. Organizations are required to transition to Windows 11. During the migration, IT administrators may face errors indicating that certain device settings were not successfully migrated, which can disrupt user experience. Causes of these errors include outdated or incompatible device drivers, failing physical components, incompatible software, restrictive group policies, missing registry keys, and interference from third-party tools. Affected devices may malfunction, impacting productivity. IT teams can troubleshoot these issues by restarting computers, identifying problematic devices using Device Manager, verifying and updating device drivers, checking physical devices, ensuring the operating environment is up to date, utilizing Microsoft command-line utilities, and performing clean boots or system restores if necessary.

Winsage

March 17, 2026

Microsoft to Block Windows 11 and Server 2025 Automated Installation After Critical RCE Vulnerability

Microsoft is implementing a two-phase initiative to disable the hands-free deployment feature in Windows Deployment Services (WDS) due to a critical remote code execution vulnerability (CVE-2026-0386) identified on January 13, 2026. This vulnerability arises from improper access control related to the Unattend.xml file, which is transmitted over an unauthenticated RPC channel, allowing attackers on the same network segment to exploit it. Successful exploitation could grant SYSTEM-level privileges and compromise OS deployment images. The initiative includes: - Phase 1 (January 13, 2026): The hands-free deployment feature will remain operational but can be disabled. New Event Log alerts and registry key controls will be introduced to enforce secure practices. - Phase 2 (April 2026): The hands-free deployment feature will be completely disabled by default for administrators who have not modified registry settings. Administrators can temporarily re-enable the feature by setting AllowHandsFreeFunctionality = 1, but this is not secure. Recommendations include reviewing WDS configurations, applying security updates, setting registry keys for secure behavior, monitoring Event Viewer for alerts, and considering alternative deployment methods. Microsoft’s KB article 5074952 provides further guidance for impacted organizations.