Hello @Fraser Burnett ,
In my case I looked into running services, and disabled anything not from Microsoft temporary until the upgrade was finished.
On the other hand your can temporary deploy the turn off by GPO just for the upgrade by adding the next registry key to the GPO
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
Enabled DWORD
0 = Off
1 = On
I have heard a lot about the Core Integrity failure to upgrade/update and it seems that there is some security excess (at the end the purpose is to "lock" the core files to prevent malicious injection), but we can say that the problems of one time, might save us bigger issues on the long run.
Hope this helps in your case,
Best regards,