Full Report
Microsoft has released an emergency Windows 10 KB5072653 update to resolve ongoing issues with installing the November extended security updates. [...]
Analysis Summary
# Vulnerability: ESU Installation Failure on Windows 10
## CVE Details
- CVE ID: N/A (This advisory describes a setup/installation bug, not a vulnerability with a public CVE historically associated with it.)
- CVSS Score: N/A
- CWE: N/A (Relates to update deployment/licensing preparation failure)
## Affected Systems
- Products: Windows 10
- Versions: Windows 10 22H2 (Applies to devices attempting to install November 2025 ESU updates)
- Configurations: Devices that have installed the October 2025 cumulative update (KB5066791) but are failing to properly process or install the ESU update (KB5068781), often resulting in error 0x800f0922.
## Vulnerability Description
The issue is not a traditional security vulnerability exploitation but a critical installation failure preventing Extended Security Updates (ESU) licensing preparation (KB5072653) from being correctly applied, which subsequently blocks the deployment of the November 2025 ESU security update (KB5068781). This failure manifests as errors like `0x800f0922 (CBS_E_INSTALLERS_FAILED)`.
## Exploitation
- Status: Not applicable (Installation roadblock, not a security exploit)
- Complexity: N/A
- Attack Vector: N/A
## Impact
- Confidentiality: None (Installation blockage)
- Integrity: None (Installation blockage)
- Availability: High (Prevents delivery of necessary security updates for ESU participants)
## Remediation
### Patches
- **KB5072653 (Extended Security Updates (ESU) Licensing Preparation Package):** This out-of-band update resolves the installation errors.
- **KB5068781:** The November 2025 ESU security update that can be successfully deployed *after* KB5072653 is installed.
**Prerequisites for installing KB5072653:**
1. Device must be running Windows 10 22H2.
2. Must have the October 2025 cumulative update (KB5066791) installed.
### Workarounds
1. Install KB5072653 via Windows Update (it should be offered automatically once prerequisites are met).
2. After KB5072653 is installed and the system is restarted, rerun Windows Update to successfully install the November ESU update (KB5068781).
**Note for Enterprise Admins:** If WSUS or SCCM systems are not correctly recognizing the need for the ESU update, Microsoft indicates that a new **Scan Cab** containing updated metadata for KB5072653 will be released in the near future to fix compliance checking.
## Detection
- Detection methods rely on monitoring the success or failure of update installation attempts, specifically looking for error codes like `0x800f0922` related to ESU package installation.
- Absence of KB5072653 and KB5068781 installation post-November 17, 2025.
## References
- Vendor Advisory (Implied): Microsoft Support Bulletin for KB5072653
- Relevant Links:
- hxxps://support.microsoft.com/help/5072653
- hxxps://support.microsoft.com/help/5068781