Windows 10: Deactivate Safeguard holds (blocked Upgrades)

[German]In Windows 10, Group Policy can be used to disable upgrade blocks (safeguard holds) set by Microsoft in Windows Update due to known compatibility issues. Here is some information about this.


Advertising

I've had this topic on my radar for about a month now because someone on Facebook had given me the hint 'you know the registry keys to remove an upgrade blocker rule'. I wrote down the value of DisableWUfBSafeguards, but did not pursue the topic any further. Then on October 22, 2020, Microsoft published the article Opt out of safeguard holds on the topic, so I'll bring it up now.

Some Background

When installing feature updates, there are always machines that Microsoft knows have hardware or software compatibility issues with the new Windows 10 version. In such cases, the feature update will be blocked in Windows Update (known as Safeguard holds) for these machines. The user then receives the following notification in Windows Update. 

Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page

These safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update using Windows Update. Microsoft uses these locks to protect the device and the user from a failed or poor update experience. Microsoft removes these locks once a fix for the compatibility issue is released and verified on an affected device. More information about such locks can be found here.

Removing the upgrade lock (safeguard hold)

However, administrators in enterprise environments can deactivate this upgrade lock in Windows 10 via Group Policy. There are several ways to do this, which Microsoft describes in the article Opt out of safeguard holds. The easiest way in Windows 10 Pro, Enterprise and Education is to enable the relevant Group Policy.


Advertising

1. Start gpedit.msc with administrative permissions and navigate in the Group Policy Editor's left pane to the branch:

Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business

2. Then activated the Group Policy Disable safeguards for Feature Updates and have the policy updated (for example, by rebooting or by running the gpupdate /force command from an administrative command prompt)

Group Policy Disable safeguards for Feature Updates

This policy is available for Windows Update for Business (WUfB) with Windows 10 version 1809 or higher, provided the security update from October 2020 has been installed.

Bleeping Computer had taken up the topic promptly in this article and points out that you can also access the following registry branch via the registry editor:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

If you add a DWORD 32-bit value DisableWUfBSafeguards and set it to 1, the upgrade locks of Windows Update are bypassed.

But note the risk of unlocking the upgrade lock set by Microsoft. There is no guarantee that the upgrade will work and there is a risk that hardware and software problems will occur afterwards. Microsoft has implemented this policy only to allow IT administrators to perform compatibility validation testing.

After a device installs a new version of Windows 10, Disabling Feature Update Security Policy is reset to "not configured" even if it was previously enabled. Microsoft does this to ensure that the administrator deliberately disables Microsoft's default protection against known issues for each new feature update.


Advertising

This entry was posted in Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).