TL;DR: Microsoft is blocking legitimate, paying users from downloading official Windows installation media based on IP reputation — flagging ordinary residential and cellular connections, with no appeal and no self-clearing — while breaking the de-facto download tooling. The upshot: a genuine, licensed, fully-updated Windows PC could not obtain its own OS media, and the fastest way to get authentic Windows bits turned out to be a Linux box reassembling them from Microsoft's own CDN in five minutes. That's not a flex for Linux; it's an indictment of Microsoft's acquisition story — and winget rides the same gating philosophy, which is why it belongs here.
What happens
Downloading the Windows 11 ISO from microsoft.com/software-download/windows11 returns:
"We are unable to complete your request at this time. Some users, entities and locations are banned from using this service … leveraging anonymous or location hiding technologies … is not generally allowed."
Error code 715-123130
The connection is a plain Comcast residential line — no VPN, no proxy, no tunnel (verified: direct route, no proxy config). The identical block hits from a cellular carrier IP. Fido/Rufus's scripted path gets the equivalent "Sentinel marked this request as rejected." Per Rufus's own maintainer, Microsoft flags IPs that merely "poke the download servers a bit too much," and the ban does not clear itself. No anonymizer, no abuse, no recourse — just locked out of official media for the crime of trying to download Windows.
The part Microsoft should be embarrassed about
Because the official path was a brick wall, here's what it actually took to obtain a genuine, current (26200.8524) ISO:
- The real Windows machine that needed the media — running genuine, licensed, fully-patched Windows 11 — could not build it. First-party tooling ground away for over an hour and hung without producing anything.
- A Linux box pulled Microsoft's own UUP packages from the (un-blocked) Windows Update CDN and assembled a clean, bootable ISO in ~5 minutes.
Sit with that. Official OS, official hardware, official tooling: blocked, then broken. Third-party OS, reassembling Microsoft's own bits: done before the coffee finished brewing. If a Linux shell script is a faster, more reliable way to get authentic Windows media than anything Microsoft ships, the acquisition pipeline is not "secure" — it's just hostile to the people using it correctly.
Why this is an actual security own-goal
Every competent admin who hits 715-123130 does the obvious next thing: they go find the ISO somewhere else. Microsoft is, at scale, training its most security-conscious users to source operating-system media from unofficial mirrors — the precise behavior that supply-chain security exists to prevent. You cannot preach supply-chain integrity while making the official supply chain the least dependable way to obtain the product.
Why this repo
winget is Microsoft's flagship "acquire software the correct, trusted way" story, and it depends on the same distribution and anti-abuse gating that produces 715-123130. The population this IP-reputation gating punishes — admins doing legitimate, repeated, scripted acquisition — is exactly winget's core audience. If the sanctioned path is going to be the trusted one, it has to function for legitimate automation instead of banning a residential IP for downloading Windows.
Asks
- Stop applying VPN / "location-hiding" IP-reputation bans to official OS media downloads from ordinary consumer ISPs and cellular carriers.
- Provide a sanctioned, authenticated, scriptable way for admins to obtain official media. Account-gating is reasonable; IP-roulette with no appeal is not.
- If UUP-from-CDN is the reliable path in practice anyway, document and support it rather than ceding it to third parties.
- At absolute minimum, make
715-123130 actionable: state why an IP is blocked and provide a way to clear it.
Reproducible: 715-123130 from two independent ISPs (residential + cellular, same household, no anonymizers). Activity IDs available on request.
What happens
Downloading the Windows 11 ISO from
microsoft.com/software-download/windows11returns:The connection is a plain Comcast residential line — no VPN, no proxy, no tunnel (verified: direct route, no proxy config). The identical block hits from a cellular carrier IP.
Fido/Rufus's scripted path gets the equivalent "Sentinel marked this request as rejected." Per Rufus's own maintainer, Microsoft flags IPs that merely "poke the download servers a bit too much," and the ban does not clear itself. No anonymizer, no abuse, no recourse — just locked out of official media for the crime of trying to download Windows.The part Microsoft should be embarrassed about
Because the official path was a brick wall, here's what it actually took to obtain a genuine, current (
26200.8524) ISO:Sit with that. Official OS, official hardware, official tooling: blocked, then broken. Third-party OS, reassembling Microsoft's own bits: done before the coffee finished brewing. If a Linux shell script is a faster, more reliable way to get authentic Windows media than anything Microsoft ships, the acquisition pipeline is not "secure" — it's just hostile to the people using it correctly.
Why this is an actual security own-goal
Every competent admin who hits
715-123130does the obvious next thing: they go find the ISO somewhere else. Microsoft is, at scale, training its most security-conscious users to source operating-system media from unofficial mirrors — the precise behavior that supply-chain security exists to prevent. You cannot preach supply-chain integrity while making the official supply chain the least dependable way to obtain the product.Why this repo
wingetis Microsoft's flagship "acquire software the correct, trusted way" story, and it depends on the same distribution and anti-abuse gating that produces715-123130. The population this IP-reputation gating punishes — admins doing legitimate, repeated, scripted acquisition — is exactlywinget's core audience. If the sanctioned path is going to be the trusted one, it has to function for legitimate automation instead of banning a residential IP for downloading Windows.Asks
715-123130actionable: state why an IP is blocked and provide a way to clear it.Reproducible:
715-123130from two independent ISPs (residential + cellular, same household, no anonymizers). Activity IDs available on request.