Windows Update Enable or Disable Safeguard Holds for Feature Updates in Windows 11

  • Thread starter Thread starter Brink
  • Start date Published: Start date Updated Updated:

Windows_Update_banner.png

This tutorial will show you how to enable or disable safeguard holds for feature updates in Windows 10 and Windows 11.

Feature updates are new versions of Windows that are released via Windows Update twice a year usually around spring and fall.

Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When Microsoft finds such an issue, Microsoft might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. Microsoft also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.

Safeguard holds prevent a device with a known issue from being offered a new operating system version. Microsoft renews the offering once a fix is found and verified. Microsoft use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.

On devices that use Windows Update (but not Windows Update for Business), the Windows Update page in the Settings app displays a message stating that a feature update is on its way, but not ready for the device. Instead of the option to download and install the feature update, users will see a "Learn more" message. If you see this message, it means one or more holds affect your device.

The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. Microsoft monitors quality and compatibility data to confirm that a fix is complete before releasing the hold. Once Microsoft releases the hold, Windows Update will resume offering new operating system versions to devices.

References:

KB5006965: How to check information about safeguard holds affecting your device - Microsoft Support

support.microsoft.com support.microsoft.com
learn.microsoft.com

Windows Update for Business reports overview - Windows Update for Business reports

Overview of Windows Update for Business reports to explain what it's used for and the cloud services it relies on.
learn.microsoft.com
docs.microsoft.com

Safeguard holds for Windows

What are safeguard holds? How to can you tell if a safeguard hold is in effect, and what to do about it.
docs.microsoft.com
docs.microsoft.com

Opt out of safeguard holds

How to install an update in your organization even when a safeguard hold for a known issue has been applied to it.
docs.microsoft.com

If wanted, you can enable the Disable safeguards for Feature Updates Group Policy to allow Feature Updates without blocking on any safeguard holds.


Opting out of a safeguard hold can put devices at risk from known performance issues.

Microsoft recommends opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business.

Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues.


You must be signed in as an administrator to enable or disable safeguards for feature updates.

After a device installs a new Windows version, the Disable safeguards for Feature Updates Group Policy will automatically revert to “not configured” (aka: safeguards enabled) even if it was previously enabled (aka: safeguards disabled). Microsoft does this to ensure the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update.



Contents

  • Option One: Enable or Disable Safeguards for Feature Updates in Local Group Policy Editor
  • Option Two: Enable or Disable Safeguards for Feature Updates using REG File




Option One

Enable or Disable Safeguards for Feature Updates in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option Two.


1 Open the Local Group Policy Editor (gpedit.msc).

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration>Administrative Templates>Windows Components>Windows Update>Manage updates offered from Windows Updates

Disable_safeguards_for_Feature_Updates_gpedit-1.png

3 In the right pane of Manage updates offered from Windows Updates in the Local Group Policy Editor, double click/tap on the Disable safeguards for Feature Updates policy to edit it. (see screenshot above)

4 Do step 5 (enable) or step 6 (disable) below for what you would like to do.

5 To Enable Safeguards for Feature Updates

This is the default setting.


A) Select (dot) Not Configured, click/tap on OK, and go to step 7 below. (see screenshot below)​

Disable_safeguards_for_Feature_Updates_gpedit-2.png

6 To Disable Safeguards for Feature Updates

A) Select (dot) Enabled, click/tap on OK, and go to step 7 below. (see screenshot below)​

Disable_safeguards_for_Feature_Updates_gpedit-3.png

7 You can now close the Local Group Policy Editor if you like.




Option Two

Enable or Disable Safeguards for Feature Updates using REG File


1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.

2 To Enable Safeguards for Feature Updates

This is the default setting.


A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Enable_safeguards_for_Feature_Updates.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableWUfBSafeguards"=-

3 To Disable Safeguards for Feature Updates

A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Disable_safeguards_for_Feature_Updates.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableWUfBSafeguards"=dword:00000001

4 Save the .reg file to your desktop.

5 Double click/tap on the downloaded .reg file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 Restart the computer to apply.

8 You could now delete the downloaded .reg file if you like.


That's it,
Shawn Brink


Related Tutorials

 

Attachments

Last edited:
Click to expand...
This is a very good feature when "Enabled" (Default). I cannot fathom any reason whatsoever why one would like to disable it.
 

My Computer

System One

  • OS
    Windows 10 and Win 11 in VM
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus ROG Strix GA35DX
    CPU
    AMD Ryzen 9 3950X
    Motherboard
    ASUSTek COMPUTER INC.
    Memory
    32GB
    Graphics Card(s)
    NVIDIA GeForce RTX 2080Ti
    Screen Resolution
    1920 x 1080
    Browser
    Edge
    Antivirus
    Microsoft Defender
Will users see the pop up message out of the blue one day? that could be a reason to disable it.
 

My Computer

System One

  • OS
    Windows 11 Enterprise
    Computer type
    PC/Desktop
    Manufacturer/Model
    WMI says "To be Filled By OEM"
    Keyboard
    Plastic
    Mouse
    I have not seen any lately
    Internet Speed
    Insert AIM ICON :)
    Browser
    The first one I find to double click on.
    Antivirus
    Sandbox
JagoWu said:
Will users see the pop up message out of the blue one day? that could be a reason to disable it.
Click to expand...
Hello, :alien:

You'll see a message like below in Windows Update when you have a feature update with a safeguard hold.

b6a864f2-7f86-49f9-bb2b-3d113249aee1.png
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    CyberPower CP1500PFCLCD
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Oh ok. Thanks Brink. One more question, What I usually see from Windows Update is this message:
1735866505912.webp


How can I change that out to say the below instead:
1735866557779.webp


Or are messages dependant on the type of update that got installed? CU vs Feature Update that dictates the message?

I would really like to use the pic below that is in Windows 10 if possible.
1735867127698.webp
 

My Computer

System One

  • OS
    Windows 11 Enterprise
    Computer type
    PC/Desktop
    Manufacturer/Model
    WMI says "To be Filled By OEM"
    Keyboard
    Plastic
    Mouse
    I have not seen any lately
    Internet Speed
    Insert AIM ICON :)
    Browser
    The first one I find to double click on.
    Antivirus
    Sandbox
JagoWu said:
Oh ok. Thanks Brink. One more question, What I usually see from Windows Update is this message:
View attachment 120923

How can I change that out to say the below instead:
View attachment 120924

Or are messages dependant on the type of update that got installed? CU vs Feature Update that dictates the message?

I would really like to use the pic below that is in Windows 10 if possible.
View attachment 120925
Click to expand...

It does appear to vary on which restart notification you may see.

www.elevenforum.com

Enable or Disable Auto-restart Notifications for Windows Update in Windows 11

This tutorial will show you how to enable or disable showing auto-restart notifications for Windows Update in Windows 11. Windows Update keeps Windows 11 updated by automatically downloading and installing the latest updates, drivers, and hotfixes released by Microsoft. You can turn on or off...
www.elevenforum.com www.elevenforum.com
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    CyberPower CP1500PFCLCD
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Brink said:
Hello, :alien:

You'll see a message like below in Windows Update when you have a feature update with a safeguard hold.

b6a864f2-7f86-49f9-bb2b-3d113249aee1.png
Click to expand...
Hi,
is there any logic as to when this comes up?

Back in November we had multiple thousands of devices with Safeguard Hold 54762729 and now we are having a few hundreds with the brand new 56031903 that seems to come up for less than 25GB of free storage.

In both cases, only a small fraction of devices showed this screen - most simply said that everything is up to date. Most devices are already assigned to a required upgrade from W10/22H2 to W11/24H2 with an Intune Feature Update profile
 

My Computer

System One

  • OS
    Windows 11 24H2
marrow5265 said:
Hi,
is there any logic as to when this comes up?

Back in November we had multiple thousands of devices with Safeguard Hold 54762729 and now we are having a few hundreds with the brand new 56031903 that seems to come up for less than 25GB of free storage.

In both cases, only a small fraction of devices showed this screen - most simply said that everything is up to date. Most devices are already assigned to a required upgrade from W10/22H2 to W11/24H2 with an Intune Feature Update profile
Click to expand...

Hello, and welcome to the forum. :alien:

Unfortunately, not much logic in it.

I see the same. Most devices just say everything is up to date while staying on 23H2 until the safeguards are removed.

Some will have the "Coming soon" message.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    CyberPower CP1500PFCLCD
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
Once you're able to confirm a safeguard hold with an upgrade block ID where is there a Microsoft reference to get information for each block ID?

Or if upgrade known issues are viewed where can the assigned block ID be viewed?

learn.microsoft.com

Windows 11, version 23H2 known issues and notifications

View announcements and review known issues and fixes for Windows 11, version 23H2
learn.microsoft.com



The safeguard hold tutorial is listed twice in the index:


 

My Computer

System One

  • OS
    Windows 10
    Computer type
    Laptop
    Manufacturer/Model
    HP
    CPU
    Intel(R) Core(TM) i7-4800MQ CPU @ 2.70GHz
    Motherboard
    Product : 190A Version : KBC Version 94.56
    Memory
    16 GB Total: Manufacturer : Samsung MemoryType : DDR3 FormFactor : SODIMM Capacity : 8GB Speed : 1600
    Graphics Card(s)
    NVIDIA Quadro K3100M; Intel(R) HD Graphics 4600
    Sound Card
    IDT High Definition Audio CODEC; PNP Device ID HDAUDIO\FUNC_01&VEN_111D&DEV_76E0
    Hard Drives
    Model Hitachi HTS727575A9E364
    Antivirus
    Microsoft Defender
    Other Info
    Mobile Workstation
In that link there was a link: Windows 10 Upgrades – Dealing with Safeguard ID 25178825 (Conexant ISST Driver)

They seem to be 8 digits: 25178825

I'm looking for 56031903. Maybe a TPM block?

It would be nice to find a reference source to find either the explanation knowing the block ID or the ID knowing the explanation.

Thx.



This was just downloaded: GitHub - AdamGrossTX/FU.WhyAmIBlocked

An administrative command prompt (black box) flashed > results were not visible.

Once there is a reference or script it will useful in troubleshooting upgrade failures.
 

My Computer

System One

  • OS
    Windows 10
    Computer type
    Laptop
    Manufacturer/Model
    HP
    CPU
    Intel(R) Core(TM) i7-4800MQ CPU @ 2.70GHz
    Motherboard
    Product : 190A Version : KBC Version 94.56
    Memory
    16 GB Total: Manufacturer : Samsung MemoryType : DDR3 FormFactor : SODIMM Capacity : 8GB Speed : 1600
    Graphics Card(s)
    NVIDIA Quadro K3100M; Intel(R) HD Graphics 4600
    Sound Card
    IDT High Definition Audio CODEC; PNP Device ID HDAUDIO\FUNC_01&VEN_111D&DEV_76E0
    Hard Drives
    Model Hitachi HTS727575A9E364
    Antivirus
    Microsoft Defender
    Other Info
    Mobile Workstation
Just search the JSON file:
Code: 
  {
    "AppName": "Low disk space devices (Wu Offer Block)",
    "BlockType": "GatedBlock",
    "SafeguardId": "56031903",
    "NAME": "",
    "VENDOR": "Microsoft",
    "EXE_ID": "{c8edd7b8-7316-49b7-908d-56952bd3bb0d}",
    "DEST_OS_GTE": "GE24H2",
    "DEST_OS_LT": "XY30H1",
    "FirstAppraiserDate": "2025-02-06T23:07:07.7086986Z",
    "FirstAppraiserVersions": "2615, 2682, 2700, 2700, 2723",
    "LastAppraiserDate": "2025-02-06T23:07:07.7086986Z",
    "LastAppraiserVersions": "2615, 2682, 2700, 2700, 2723",
    "INNERXML": "<NAME type=\"xs:string\"></NAME><APP_NAME type=\"xs:string\">Low disk space devices (Wu Offer Block)</APP_NAME><VENDOR type=\"xs:string\">Microsoft</VENDOR><EXE_ID type=\"xs:string\" baseType=\"xs:base64Binary\">{c8edd7b8-7316-49b7-908d-56952bd3bb0d}</EXE_ID><APP_ID type=\"xs:base64Binary\" /><DEST_OS_GTE type=\"xs:string\">GE24H2</DEST_OS_GTE><DEST_OS_LT type=\"xs:string\">XY30H1</DEST_OS_LT><MATCH_PLUGIN><NAME type=\"xs:string\">PowerShellMatchingPlugin</NAME><COMMAND_LINE type=\"xs:string\">\n                    $Res = 0\n                    [UInt64]$MinDiskSpaceThreshold = 25 * 1024 * 1024 * 1024\n\n                    try {\n                        $SystemDrive = (Get-CimInstance Win32_OperatingSystem).SystemDrive\n                        $SystemDriveLetter = $SystemDrive[0]\n                        $SystemDriveSpace = (Get-Volume -DriveLetter $SystemDriveLetter).SizeRemaining\n                        Write-Host 'Current system drive space:', $SystemDriveSpace.ToString('N0')\n                        if ($SystemDriveSpace -lt $MinDiskSpaceThreshold) {\n                            Write-Host 'System drive space is less than the threshold:', $MinDiskSpaceThreshold.ToString('N0'), 'Applying safeguard.'\n                            $Res = 1\n                        }\n                    } catch {\n                        # Do nothing\n                    }\n\n                    Write-Host 'Final result:', $Res\n                </COMMAND_LINE></MATCH_PLUGIN><DATA><NAME type=\"xs:string\">AppraiserData</NAME><DATA_VALUETYPE type=\"xs:int\">1</DATA_VALUETYPE><DATA_STRING type=\"xs:string\">GatedBlock</DATA_STRING></DATA><DATA><NAME type=\"xs:string\">AppraiserData_GatedBlockId</NAME><DATA_VALUETYPE type=\"xs:int\">1</DATA_VALUETYPE><DATA_STRING type=\"xs:string\">56031903</DATA_STRING></DATA>"
  },
 

My Computer

System One

  • OS
    Windows 7
This was the output from GitHub - AdamGrossTX/FU.WhyAmIBlocked

Once module is installed run command to collect data from the local device..

Get-FUBlocks

Python is required to process the sdb compatibility database, but the module will still function partially without it.


Code: 
PS C:\WINDOWS\system32> get-fublocks
get-fublocks : The term 'get-fublocks' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ get-fublocks
+ ~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (get-fublocks:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

PS C:\WINDOWS\system32>



From your link ( https://raw.githubusercontent.com/g...tes/SafeGuardHolds/SafeGuardHoldDataBase.json ) it produced low disk space as you had posted:

Code: 
  "AppName": "Low disk space devices (Wu Offer Block)",
    "BlockType": "GatedBlock",
    "SafeguardId": "56031903",
    "NAME": "",
    "VENDOR": "Microsoft",
    "EXE_ID": "{c8edd7b8-7316-49b7-908d-56952bd3bb0d}",
    "DEST_OS_GTE": "GE24H2",
    "DEST_OS_LT": "XY30H1",
    "FirstAppraiserDate": "2025-02-06T23:07:07.7086986Z",
    "FirstAppraiserVersions": "2615, 2682, 2700, 2700, 2723",
    "LastAppraiserDate": "2025-02-06T23:07:07.7086986Z",
    "LastAppraiserVersions": "2615, 2682, 2700, 2700, 2723",
    "INNERXML": "<NAME type=\"xs:string\"></NAME><APP_NAME type=\"xs:string\">Low disk space devices (Wu Offer Block)</APP_NAME><VENDOR type=\"xs:string\">Microsoft</VENDOR><EXE_ID type=\"xs:string\" baseType=\"xs:base64Binary\">{c8edd7b8-7316-49b7-908d-56952bd3bb0d}</EXE_ID><APP_ID type=\"xs:base64Binary\" /><DEST_OS_GTE type=\"xs:string\">GE24H2</DEST_OS_GTE><DEST_OS_LT type=\"xs:string\">XY30H1</DEST_OS_LT><MATCH_PLUGIN><NAME type=\"xs:string\">PowerShellMatchingPlugin</NAME><COMMAND_LINE type=\"xs:string\">\n                    $Res = 0\n                    [UInt64]$MinDiskSpaceThreshold = 25 * 1024 * 1024 * 1024\n\n                    try {\n                        $SystemDrive = (Get-CimInstance Win32_OperatingSystem).SystemDrive\n                        $SystemDriveLetter = $SystemDrive[0]\n                        $SystemDriveSpace = (Get-Volume -DriveLetter $SystemDriveLetter).SizeRemaining\n                        Write-Host 'Current system drive space:', $SystemDriveSpace.ToString('N0')\n                        if ($SystemDriveSpace -lt $MinDiskSpaceThreshold) {\n                            Write-Host 'System drive space is less than the threshold:', $MinDiskSpaceThreshold.ToString('N0'), 'Applying safeguard.'\n                            $Res = 1\n                        }\n                    } catch {\n                        # Do nothing\n                    }\n\n                    Write-Host 'Final result:', $Res\n                </COMMAND_LINE></MATCH_PLUGIN><DATA><NAME type=\"xs:string\">AppraiserData</NAME><DATA_VALUETYPE type=\"xs:int\">1</DATA_VALUETYPE><DATA_STRING type=\"xs:string\">GatedBlock</DATA_STRING></DATA><DATA><NAME type=\"xs:string\">AppraiserData_GatedBlockId</NAME><DATA_VALUETYPE type=\"xs:int\">1</DATA_VALUETYPE><DATA_STRING type=\"xs:string\">56031903</DATA_STRING></DATA>"
  },
  {


So it was a gated block and not a hard block.
But it should have been hard.
 
Last edited:

My Computer

System One

  • OS
    Windows 10
    Computer type
    Laptop
    Manufacturer/Model
    HP
    CPU
    Intel(R) Core(TM) i7-4800MQ CPU @ 2.70GHz
    Motherboard
    Product : 190A Version : KBC Version 94.56
    Memory
    16 GB Total: Manufacturer : Samsung MemoryType : DDR3 FormFactor : SODIMM Capacity : 8GB Speed : 1600
    Graphics Card(s)
    NVIDIA Quadro K3100M; Intel(R) HD Graphics 4600
    Sound Card
    IDT High Definition Audio CODEC; PNP Device ID HDAUDIO\FUNC_01&VEN_111D&DEV_76E0
    Hard Drives
    Model Hitachi HTS727575A9E364
    Antivirus
    Microsoft Defender
    Other Info
    Mobile Workstation
This was the administrative command prompt command that I'd used to see if there was a block:

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\GE24H2"


It only had a row for gated block.
It did not have a row for hard block.
 

My Computer

System One

  • OS
    Windows 10
    Computer type
    Laptop
    Manufacturer/Model
    HP
    CPU
    Intel(R) Core(TM) i7-4800MQ CPU @ 2.70GHz
    Motherboard
    Product : 190A Version : KBC Version 94.56
    Memory
    16 GB Total: Manufacturer : Samsung MemoryType : DDR3 FormFactor : SODIMM Capacity : 8GB Speed : 1600
    Graphics Card(s)
    NVIDIA Quadro K3100M; Intel(R) HD Graphics 4600
    Sound Card
    IDT High Definition Audio CODEC; PNP Device ID HDAUDIO\FUNC_01&VEN_111D&DEV_76E0
    Hard Drives
    Model Hitachi HTS727575A9E364
    Antivirus
    Microsoft Defender
    Other Info
    Mobile Workstation
I wrote a script which searches your registry's GatedBlockId list against the Safeguard Hold Database.

When you manage to "pretty print" the InnerXML provided by the JSON file, the reason for why your PC is getting blocked becomes really obvious. I'm surprised nobody's done it this way.

Let's take the real-world example of:

Acer Laptop 24H2 install stops. How do I find out what the problem is?

I don't know what is stopping the install past about 14%. 'your PC isn't supported yet. Install error - 0xc1900209 I have updated drivers using the minitool. I used the Nividia app to check for driver updates. Mine is not listed on their update page, unless I'm blind. I'm not sure what else...
www.elevenforum.com www.elevenforum.com

Inserting ID's of 54580694 & 56031903:
Code: 
BlockID  : 54580694
AppName  : Avira - File delete issue
Name     : *.exe
Vendor   : Avira
InnerXML : <NAME>*.exe</NAME>
           <WILDCARD_NAME>*.exe</WILDCARD_NAME>
           <APP_NAME>Avira - File delete issue</APP_NAME>
           <VENDOR>Avira</VENDOR>
           <EXE_ID>{d9acb205-1671-4d8a-830d-7f4dac47dde4}</EXE_ID>
           <APP_ID />
           <DEST_OS_GTE>GE24H2</DEST_OS_GTE>
           <DEST_OS_LT>XY30H1</DEST_OS_LT>
           <MATCHING_FILE>
               <NAME>*</NAME>
               <PRODUCT_NAME>*</PRODUCT_NAME>
           </MATCHING_FILE>
           <PICK_ONE>
               <MATCHING_FILE>
                   <NAME>*</NAME>
                   <PRODUCT_NAME>Avira*</PRODUCT_NAME>
               </MATCHING_FILE>
               <MATCHING_FILE>
                   <NAME>*</NAME>
                   <COMPANY_NAME>Avira*</COMPANY_NAME>
               </MATCHING_FILE>
           </PICK_ONE>
           <DATA>
               <NAME>AppraiserData</NAME>
               <DATA_VALUETYPE>1</DATA_VALUETYPE>
               <DATA_STRING>GatedBlock</DATA_STRING>
           </DATA>
           <DATA>
               <NAME>AppraiserData_GatedBlockId</NAME>
               <DATA_VALUETYPE>1</DATA_VALUETYPE>
               <DATA_STRING>54580694</DATA_STRING>
           </DATA>

BlockID  : 54580694
AppName  : Avira - File delete issue
Name     : *.sys
Vendor   : Avira
InnerXML : <NAME>*.sys</NAME>
           <WILDCARD_NAME>*.sys</WILDCARD_NAME>
           <APP_NAME>Avira - File delete issue</APP_NAME>
           <VENDOR>Avira</VENDOR>
           <EXE_ID>{9a2969a3-a5d6-4cad-8971-2150dc31c8d4}</EXE_ID>
           <APP_ID />
           <DEST_OS_GTE>GE24H2</DEST_OS_GTE>
           <DEST_OS_LT>XY30H1</DEST_OS_LT>
           <MATCHING_FILE>
               <NAME>*</NAME>
               <PRODUCT_NAME>*</PRODUCT_NAME>
           </MATCHING_FILE>
           <PICK_ONE>
               <MATCHING_FILE>
                   <NAME>*</NAME>
                   <PRODUCT_NAME>Avira*</PRODUCT_NAME>
               </MATCHING_FILE>
               <MATCHING_FILE>
                   <NAME>*</NAME>
                   <COMPANY_NAME>Avira*</COMPANY_NAME>
               </MATCHING_FILE>
           </PICK_ONE>
           <DATA>
               <NAME>AppraiserData</NAME>
               <DATA_VALUETYPE>1</DATA_VALUETYPE>
               <DATA_STRING>GatedBlock</DATA_STRING>
           </DATA>
           <DATA>
               <NAME>AppraiserData_GatedBlockId</NAME>
               <DATA_VALUETYPE>1</DATA_VALUETYPE>
               <DATA_STRING>54580694</DATA_STRING>
           </DATA>

BlockID  : 54580694
AppName  : Avira - File delete issue
Name     : *avira*.exe
Vendor   : Avira
InnerXML : <NAME>*avira*.exe</NAME>
           <WILDCARD_NAME>*avira*.exe</WILDCARD_NAME>
           <APP_NAME>Avira - File delete issue</APP_NAME>
           <VENDOR>Avira</VENDOR>
           <EXE_ID>{4eee9c58-f7ca-4f02-b5b0-9ebb542ba1bc}</EXE_ID>
           <APP_ID />
           <DEST_OS_GTE>GE24H2</DEST_OS_GTE>
           <DEST_OS_LT>XY30H1</DEST_OS_LT>
           <MATCHING_FILE>
               <NAME>*</NAME>
           </MATCHING_FILE>
           <DATA>
               <NAME>AppraiserData</NAME>
               <DATA_VALUETYPE>1</DATA_VALUETYPE>
               <DATA_STRING>GatedBlock</DATA_STRING>
           </DATA>
           <DATA>
               <NAME>AppraiserData_GatedBlockId</NAME>
               <DATA_VALUETYPE>1</DATA_VALUETYPE>
               <DATA_STRING>54580694</DATA_STRING>
           </DATA>

BlockID  : 54580694
AppName  : Avira - File delete issue
Name     :
Vendor   : Avira
InnerXML : <NAME></NAME>
           <APP_NAME>Avira - File delete issue</APP_NAME>
           <VENDOR>Avira</VENDOR>
           <EXE_ID>{3a73d09b-bd46-42f0-8126-53b047e0548c}</EXE_ID>
           <APP_ID />
           <DEST_OS_GTE>GE24H2</DEST_OS_GTE>
           <DEST_OS_LT>XY30H1</DEST_OS_LT>
           <PICK_ONE>
               <MATCHING_FILE>
                   <NAME>%WinDir%\System32\drivers\avkmgr.sys</NAME>
                   <COMPANY_NAME>Avira*</COMPANY_NAME>
               </MATCHING_FILE>
               <MATCHING_FILE>
                   <NAME>%WinDir%\System32\drivers\avipbb.sys</NAME>
                   <COMPANY_NAME>Avira*</COMPANY_NAME>
               </MATCHING_FILE>
               <MATCHING_FILE>
                   <NAME>%WinDir%\System32\drivers\bdnet.sys</NAME>
                   <COMPANY_NAME>Avira*</COMPANY_NAME>
               </MATCHING_FILE>
               <MATCHING_FILE>
                   <NAME>%WinDir%\System32\drivers\bdsentry.sys</NAME>
                   <COMPANY_NAME>Avira*</COMPANY_NAME>
               </MATCHING_FILE>
               <MATCHING_FILE>
                   <NAME>%WinDir%\System32\drivers\netprotection_network_filter.sys</NAME>
                   <COMPANY_NAME>Avira*</COMPANY_NAME>
               </MATCHING_FILE>
               <MATCHING_FILE>
                   <NAME>%WinDir%\System32\drivers\rtp1.sys</NAME>
                   <COMPANY_NAME>Avira*</COMPANY_NAME>
               </MATCHING_FILE>
               <MATCHING_FILE>
                   <NAME>%WinDir%\System32\drivers\rtp2.sys</NAME>
                   <COMPANY_NAME>Avira*</COMPANY_NAME>
               </MATCHING_FILE>
               <MATCHING_FILE>
                   <NAME>%WinDir%\System32\drivers\rtp_elam.sys</NAME>
                   <COMPANY_NAME>Avira*</COMPANY_NAME>
               </MATCHING_FILE>
               <MATCH_PLUGIN>
                   <NAME>WmiQueryMatchingPlugin</NAME>
                   <COMMAND_LINE>ROOT\SecurityCenter2 AntivirusProduct 0 productState int 0 gte WHERE displayName LIKE 'Avira%'</COMMAND_LINE>
               </MATCH_PLUGIN>
           </PICK_ONE>
           <DATA>
               <NAME>AppraiserData</NAME>
               <DATA_VALUETYPE>1</DATA_VALUETYPE>
               <DATA_STRING>GatedBlock</DATA_STRING>
           </DATA>
           <DATA>
               <NAME>AppraiserData_GatedBlockId</NAME>
               <DATA_VALUETYPE>1</DATA_VALUETYPE>
               <DATA_STRING>54580694</DATA_STRING>
           </DATA>

BlockID  : 56031903
AppName  : Low disk space devices (Wu Offer Block)
Name     :
Vendor   : Microsoft
InnerXML : <NAME></NAME>
           <APP_NAME>Low disk space devices (Wu Offer Block)</APP_NAME>
           <VENDOR>Microsoft</VENDOR>
           <EXE_ID>{c8edd7b8-7316-49b7-908d-56952bd3bb0d}</EXE_ID>
           <APP_ID />
           <DEST_OS_GTE>GE24H2</DEST_OS_GTE>
           <DEST_OS_LT>XY30H1</DEST_OS_LT>
           <MATCHING_REG>
               <NAME>SOFTWARE\Microsoft\Windows NT\CurrentVersion</NAME>
               <MATCH_LOGIC_NOT />
               <REG_VALUE_NAME>InstallationType</REG_VALUE_NAME>
               <REG_VALUE_TYPE>1</REG_VALUE_TYPE>
               <REG_VALUE_DATA_SZ>*Server*</REG_VALUE_DATA_SZ>
           </MATCHING_REG>
           <MATCH_PLUGIN>
               <NAME>PowerShellMatchingPlugin</NAME>
               <COMMAND_LINE>
                           $Res = 0
                           [UInt64]$MinDiskSpaceThreshold = 25 * 1024 * 1024 * 1024

                           try {
                               $SystemDrive = (Get-CimInstance Win32_OperatingSystem).SystemDrive
                               $SystemDriveLetter = $SystemDrive[0]
                               $SystemDriveSpace = (Get-Volume -DriveLetter $SystemDriveLetter).SizeRemaining
                               Write-Host 'Current system drive space:', $SystemDriveSpace.ToString('N0')
                               if ($SystemDriveSpace -lt $MinDiskSpaceThreshold) {
                                   Write-Host 'System drive space is less than the threshold:', $MinDiskSpaceThreshold.ToString('N0'), 'Applying safeguard.'
                                   $Res = 1
                               }
                           } catch {
                               # Do nothing
                           }

                           Write-Host 'Final result:', $Res
                       </COMMAND_LINE>
           </MATCH_PLUGIN>
           <DATA>
               <NAME>AppraiserData</NAME>
               <DATA_VALUETYPE>1</DATA_VALUETYPE>
               <DATA_STRING>GatedBlock</DATA_STRING>
           </DATA>
           <DATA>
               <NAME>AppraiserData_GatedBlockId</NAME>
               <DATA_VALUETYPE>1</DATA_VALUETYPE>
               <DATA_STRING>56031903</DATA_STRING>
           </DATA>

Some notes about the script:

1. Why does it always download a copy of the JSON file, instead of caching it? As presented on GitHub, the raw file has no versioning or timestamp tags to understand if your local copy has been superseded. Yes, your browser can see the timestamp because it's running the GitHub website code in a HTML frame.

2. When provided on raw.githubusercontent.com, the file is dynamically created (not static). Therefore it doesn't have a file creation time to use for judging how old the file is.

3. I think the reason nobody's pretty-printed the XML before is because it's a "rootless" or "fragmented" XML list. Which means a bunch of XML nodes which occupy the same level, and evidently the default Windows XML parser is too stupid to handle it. I'm sure if you're an XML guru, it might be done but no one's presented a simple answer.

Instead I borrowed someone's hack and bracketed the InnerXML elements inside a parent root node. Since now all the fragments have a parent, your normal XML pretty printer function works as advertised. The next step is to strip off the ends to hide the parent node's presence.

4. If you want to just query the JSON file with a list of previously known ID's, run:
Code: 
powershell -f Why_Blocked.ps1 -Query 54580694 56031903

If you have AppCompatMarkers, the script will report those too.
 

Attachments

My Computer

System One

  • OS
    Windows 7
You must log in or register to reply here.

Similar Windows 11 Tutorials

  • Article Article
Personalization Enable or Disable Widgets on Lock Screen in Windows 11
Replies
4
Views
4K
Brink
Brink
  • Article Article
Browsers and Mail Enable or Disable Microsoft Edge Surf Game in Windows 11
Replies
0
Views
2K
Brink
Brink
  • Article Article
Backup and Restore Enable or Disable Instant Updates in Microsoft Edge in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article Article
Browsers and Mail Enable or Disable Automatic Sign in on Microsoft Edge in Windows 11
Replies
0
Views
3K
Brink
Brink
  • Featured
  • Article Article
Apps Enable or Disable Recall Feature in Windows 11
Replies
2
Views
9K
Brink
Brink
  • Article Article
Accounts Enable or Disable Windows Hello PIN Expiration in Windows 11
Replies
0
Views
2K
Brink
Brink
  • Article Article
Apps Enable or Disable Generative Fill in Paint app in Windows 11
Replies
3
Views
2K
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom