Meraki

Duke_Nukem · ‎Aug 12 2025

Anyone else seeing these show up in their MX's Security Center? (assuming you have IPS enabled to Prevention, and Security ruleset)

Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt

We've been upgrading Win10 machines to Win11 via WUFB (Windows Update For Business), which has been working well over the past few months. But we started seeing these show up.

The majority are from an IP in Sweden, but we're also seeing them from US IPs. I'm sure it's all part of the CDN, but could certain IPs be compromised or are these false-positives?

Thanks.

RWelch · ‎Aug 12 2025

Are you able to compare the timestamps with your Win10 > Win11 upgrade activity to the security center alerts?

If the alerts align with legit Windows Update traffic from known Microsoft CDN IP ranges, it's likely a false positive.

If not, I'd be inclined to treat as suspicious until proven otherwise.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Duke_Nukem · ‎Aug 12 2025

Thanks for the reply.

Some of the IPs are linked directly and some are linked indirectly to Microsoft's CDN. Haven't correlated times, short of we target an office for upgrade and then start seeing some blocks in the Security Center. I assume the content is delivered by another server that is not blocked as we haven't seen any issues on the clients.

Definitely not looking to open things up. At least not yet. We're nearing the end of our upgrades, so things should hopefully die down over the next month or so.

Thanks.

CodeMercenary

I experienced the same thing this week. Wednesday after work ours I started to upgrade a computer to Win 11 via Windows Update. The update sat at 99% for more than 24 hours so I killed it and rebooted. Then I tried it with Microsoft's upgrade assistant. It also got stuck during the process so I killed that and rebooted this morning. Then I used a downloaded ISO to upgrade the system and it worked fine.

This afternoon I noticed over four thousand events in the security log for `Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt` for that machine. The events started Wednesday evening right when I started the Windows 11 upgrade and ended this morning when I gave up and switched to the ISO. It also listed them as coming from Sweden.

I am rather confident that this was a false positive and it blocks Windows 11 upgrades. With less than a month left of Windows 10 support, not a great thing to block.

Duke_Nukem

Thanks for the reply. Did you end up whitelisting this rule? I haven't yet but still have a few machines determined to get their W11 update these sites flagging this rule. If they went off our network, I'm sure they would download it.

CodeMercenary

I did not end up whitelisting it. I had already switched over to using FlyOOBE to upgrade from an ISO file by the time I figured out what had caused the issue, and I had also upgraded the last remaining upgradable Win 10 system using the ISO file by then too.

I haven't ever whitelisted one of the rules like that. I assume you could whitelist it and then remove it from the whitelist after finishing all the upgrades.

Meraki

Community

Windows 11 Upgrades - Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt on MX

Windows 11 Upgrades - Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt on MX