Microsoft has acknowledged that the April 2026 security updates have inadvertently disrupted the functionality of various third-party backup applications that utilize the psmounterex.sys driver. This development has raised concerns among users relying on these applications for data protection.
Impact on Backup Applications
According to a report from BleepinComputer, the issue primarily affects software leveraging the Volume Shadow Copy Service (VSS) snapshots, leading to failures attributed to VSS service timeouts. Notable products impacted by this situation include:
- Macrium Reflect
- Acronis Cyber Protect Cloud
- UrBackup Server
- NinjaOne Backup
These applications are used on Windows 11, Windows Server, and Windows 10 devices, and the disruptions can manifest in several ways:
- Backup applications may fail to mount backup image files as virtual drives.
- Users attempting to browse or restore from backup images might encounter errors or timeouts.
- Error messages such as “The backup has failed because Microsoft VSS has timed out during the snapshot creation” or VSSEBAD_STATE may appear.
- The Event Viewer may log Code Integrity errors indicating that psmounterex.sys was blocked from loading.
- While full image backups may still succeed, operations to mount these images will fail.
In response to these challenges, Microsoft has updated its support documentation to clarify that the April updates included a security hardening change. This change added psmounterex.sys to the company’s vulnerable driver blocklist, a measure intended to protect users from a high-severity buffer overflow vulnerability (CVE-2023-43896) that could allow attackers to escalate privileges or execute arbitrary code.
Microsoft has advised affected users to upgrade to newer versions of their applications that utilize updated drivers, which incorporate the necessary protections. The company emphasized that uninstalling or pausing the security update is not recommended, urging customers to install the latest application versions and verify against the driver blocklist to maintain security.
For those seeking to determine if the Microsoft Vulnerable Driver Blocklist is blocking a driver, they can check for Event ID 3077 with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816} in the Code Integrity Operational log. This entry indicates that the psmounterex driver was blocked in enforcement mode. To access this information, users should right-click on Start, select Event Viewer, navigate to Applications and Services LogsMicrosoftWindowsCodeIntegrityOperational, and search for Event ID 3077.
In addition to these updates, Microsoft recently alerted users that some Windows Server 2025 devices may boot into BitLocker recovery mode following the installation of the KB5082063 update. The company has also issued out-of-band updates to address issues affecting Windows Server systems that resulted in installation failures and restart loops after the April 2026 security updates.
