Microsoft has announced that the upcoming security update set for April 2026 will incorporate the psmounterex.sys driver into its Vulnerable Driver Blocklist. This significant alteration is poised to impact various third-party backup applications that rely on this driver for mounting images and generating Volume Shadow Copy Service (VSS) snapshots. The decision to implement this block stems from the need to address CVE-2023-43896, a critical buffer overflow vulnerability that poses risks of privilege escalation and arbitrary code execution.
The software affected by this change includes popular solutions such as Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup, all of which operate on Windows 11, Windows 10, and Windows Server platforms.
What Fails and What Does Not
While the creation of full image backups may still proceed without issue on impacted systems, complications arise specifically during image-mount operations. As a result, users may encounter difficulties when attempting to browse backups or restore data from them. Common error messages include “The backup has failed because Microsoft VSS has timed out during the snapshot creation,” along with the error code VSSEBAD_STATE. Additionally, the Event Viewer will flag Code Integrity errors, indicating that the psmounterex.sys driver was blocked from loading. Users should pay particular attention to Event ID 3077, accompanied by Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816} in the Code Integrity Operational log.
How to Check If Your System Is Affected
- Right-click the Start button and select Event Viewer.
- Navigate to Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational.
- Search for Event ID 3077 in the center pane.
If this event appears and references the psmounterex.sys driver in enforcement mode, your system is indeed affected.
Microsoft’s Recommended Fix for Backup Failures Caused by the April 2026 Update
In light of these developments, Microsoft advises users to upgrade to newer versions of the affected backup applications that utilize drivers not included on the blocklist. The company discourages uninstalling or delaying the April update, as the block is essential for mitigating an actively exploitable vulnerability. Backup software vendors are anticipated to roll out updated versions featuring compliant drivers in response to this situation.
Moreover, the April 2026 update has introduced a range of issues beyond the backup driver block. Microsoft has acknowledged that certain Windows Server 2025 devices may inadvertently boot into BitLocker recovery mode following the installation of KB5082063. In addition, out-of-band updates have been issued to rectify Windows Server update failures and restart loops experienced on domain controllers as a consequence of the April security updates.
