Hi, The run diag options I find isnt as useful as a well built query. Use the prebuilt queries for attempted violations or build your own to look for the workflow ID you configured when putting your system into update mode. From the output of that query you can find all the events that happened due to the change or that were denied. The next part is a bit trickier. You then need to go to the system and use Tasklist or task manager to find the process. If you can't you may need to run processmon to find the process trying to make the changes. In Processmon you can also trace the process structure back to the parent process.