In a recent announcement, Microsoft has confirmed that the April 2026 Windows security update, KB5083769, may disrupt image-mount operations for several prominent backup applications on patched Windows systems. The affected software includes Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup. This regression is part of a broader set of issues arising from the April updates, which were released on April 14, 2026, alongside KB5082052.
The crux of the issue lies in the addition of the psmounterex.sys kernel driver to Microsoft’s Vulnerable Driver Blocklist. This action was taken to mitigate a high-severity buffer overflow vulnerability, identified as CVE-2023-43896, which poses risks of local privilege escalation and arbitrary code execution. By blocking this driver, Microsoft aims to thwart potential exploitation by attackers who often leverage flawed drivers in their strategies.
“In the April 2026 Windows security update, we added known vulnerable kernel driver psmounterex.sys to the Vulnerable Driver Blocklist. Backup applications that rely on this driver may experience failures when attempting to mount or manage disk images.”
Microsoft
What Microsoft Changed
The inclusion of psmounterex.sys in the Vulnerable Driver Blocklist signifies a significant shift in how Microsoft manages driver security. This list is designed to prevent Windows from loading kernel drivers that could be exploited by malicious actors. The psmounterex.sys driver, which is utilized by various backup vendors for image-file mount operations, has now rendered multiple products inoperable due to a single blocklist entry. Microsoft has made it clear that it will not retract this block, prioritizing security over immediate functionality.
For administrators seeking to diagnose the issue, Event ID 3077 in the Code Integrity log serves as a reliable indicator, confirming that the blocklist is the source of the failure rather than the backup software itself. This log entry is tied to Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816}, providing a clear signal of the operational disruption.
Microsoft’s Guidance and Broader April Issues
In light of these developments, Microsoft has advised customers to update their backup applications to versions that incorporate the necessary driver protections, rather than opting to uninstall or pause the security patch. This guidance has remained consistent across subsequent communications from the company. While some administrators have circulated an unofficial registry workaround that temporarily disables the blocklist enforcement for psmounterex.sys, Microsoft does not endorse this approach, as it reopens the very vulnerabilities the patch was intended to address.
The challenges posed by the April updates extend beyond backup failures. Reports indicate that Windows Server installations may encounter failures or enter restart loops, prompting Microsoft to issue out-of-band emergency updates. Additionally, certain devices may boot into BitLocker recovery mode after applying the updates, leading to further complications for users. As administrators await updated builds from Macrium, Acronis, UrBackup, and NinjaOne that replace psmounterex.sys with a non-blocklisted driver, the focus remains on navigating the intricacies of these evolving security measures.
