Microsoft’s April 2026 Patch Tuesday update has inadvertently crippled a critical backup feature for thousands of Windows 11 users. The KB5083769 security update, released on April 14, 2026, added the psmounterex.sys kernel driver to the Windows kernel driver blocklist. This driver is essential for many third‑party backup applications to mount disk image files as virtual drives. The follow‑up KB5083631 preview update, issued later in April, extended the block to even more systems. As a result, backup tools like Macrium Reflect, Veeam Agent, and others can no longer mount backup images for file‑level recovery or verification.

Users first noticed the problem when routine backup integrity checks failed with cryptic error messages. Common errors include “Cannot mount image: the driver has been blocked from loading” and “Volume shadow copy error — code 0x8004230F.” IT administrators running scheduled restore tests over the weekend were met with failed jobs and support tickets on Monday morning. The impact is widespread because psmounterex.sys ships with many popular disk imaging utilities. Even Windows’ own native VHD mounting remains unaffected, leaving third‑party tools in the lurch.

What causes the block?

The Windows Driver Blocklist is a security feature introduced in Windows 11 2022 Update (version 22H2). It prevents known‑vulnerable or malicious drivers from loading by checking their signatures against an updated blocklist. Microsoft updates this blocklist regularly through security intelligence updates and cumulative updates. When a driver’s hash or certificate appears on the list, the kernel refuses to load it, displaying a “Driver blocked due to vulnerability” notification. In the case of psmounterex.sys, Microsoft deemed the driver vulnerable to a local elevation of privilege attack. The specific vulnerability details remain under limited disclosure, but sources indicate a buffer overflow in how the driver parses specially crafted image files.

While security hardening is welcome, blocking a widely used backup driver without a clear migration path has drawn criticism. Backup and recovery are cornerstones of data protection. Breaking them in the name of security creates a paradox where users might disable updates or seek unsupported workarounds. Microsoft’s own guidance suggests that backup vendors should update their software to use a secure, supported API, but such re‑architecting takes months and cannot retroactively fix existing deployment images.

The backup tools caught in the crossfire

Macrium Reflect, one of the most popular Windows backup solutions, relies heavily on psmounterex.sys for its image mounting and pausing features. Reflect uses the driver to present a backed‑up partition as a writable virtual disk, allowing users to browse and restore individual files without a full system recovery. With the driver blocked, Reflect’s mount functionality fails entirely. The company has acknowledged the issue on its support forum and is working on a driver‑less mounting approach using Windows’ native APIs, but no date has been set.

Other affected tools include:
- Veeam Agent for Windows — uses the driver for file‑level recovery from image backups.
- AOMEI Backupper — offers a similar mount‑and‑browse feature.
- EaseUS Todo Backup — affected in its imaging and universal restore functions.
- Paragon Backup & Recovery — uses a variant of the driver for mounting archives.
- Older versions of Acronis True Image — newer versions may already use a different method.

Enterprise environments with large fleets of endpoints are especially hit. Managed service providers (MSPs) that rely on automated backup verification are seeing a flood of false‑positive failures. Some have resorted to instructing clients to pause Windows Updates, which itself poses a security risk.

What Microsoft has said (and not said)

Microsoft’s support article for KB5083769 originally made no mention of the driver block. Only after user complaints did a section appear noting that psmounterex.sys had been “added to the driver blocklist to address a potential security vulnerability” and that the company “recommends working with your backup vendor to obtain a compatible update.” The article provides no timeline for when a fixed driver might be unblocked, nor does it suggest a temporary mitigation other than uninstalling the update.

The response mirrors Microsoft’s handling of similar incidents in the past, such as when it blocked outdated drivers for popular virtualization software. However, the lack of coordination with backup ISVs before the update’s release has frustrated developers. On the Microsoft Tech Community forum, a user claiming to represent a backup company wrote, “We were given zero notice. Our support lines have been overwhelmed since the patch hit.”

Community reactions and workarounds

Within hours of the update’s release, Reddit, Twitter, and Spiceworks forums lit up with complaints. System administrators shared screenshots of failed backup consoles and heated reactions. The most common workaround circulating is to uninstall the update:

  1. Open Settings > Windows Update > Update history > Uninstall updates.
  2. Select KB5083769 (and KB5083631 if installed) and click Uninstall.
  3. Restart the PC.

After uninstalling, many users reported that backup mounting worked again. However, this removes all security fixes packaged in the cumulative update, including critical patches for other vulnerabilities. For security‑conscious organizations, it’s a bitter pill.

Another approach is to switch to Windows’ native backup tools in the interim, but that’s impractical for those with terabytes of existing backup archives in proprietary formats. Some power users have attempted to manually remove psmounterex.sys from the blocklist by editing the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Drivers, but doing so requires disabling Secure Boot and is not supported by Microsoft. The blocklist is cryptographically enforced, so simple registry edits may not survive a reboot or the next security intelligence update.

The technical details — why this driver?

Psmounterex.sys is a kernel‑mode driver that creates virtual disk devices. It operates by intercepting disk I/O requests and redirecting them to the backup archive file, presenting a normal disk to the operating system. This technique requires low‑level access and, if exploited, can allow an attacker to execute arbitrary code with SYSTEM privileges. The vulnerability Microsoft patched likely relates to insufficient validation of input when parsing the backup archive’s metadata structure.

Security researcher Alex Ionescu noted on Twitter that such drivers are “notoriously hard to secure because they must handle complex file formats in kernel space.” He suggested that Microsoft should have provided a user‑mode mounting API in the Windows Filtering Platform, pushing the risky parsing out of the kernel. Microsoft has indeed moved toward user‑mode driver frameworks (UMDF) for non‑hardware drivers, but legacy software still depends on kernel drivers.

What should affected users do?

For consumers

If you are a home user who relies on Macrium Reflect or a similar tool for weekly backups, your safest bet is to pause Windows Updates for a few weeks until your backup vendor releases an update that no longer depends on the blocked driver. You can pause updates for up to 35 days under Settings > Windows Update. In the meantime, use the vendor’s recovery boot media (USB or CD) to mount and browse backups, which bypasses Windows’ driver blocklist because it boots from a separate environment.

For businesses

Enterprise administrators should immediately check their backup software vendor’s status. Most major vendors have published KB articles detailing the impact and workarounds. If your backup system is critical and cannot tolerate downtime, consider rolling back the update on backup servers while keeping it on other endpoints — but note that the blocklist also propagates via Microsoft Defender’s security intelligence updates, so simply avoiding the cumulative update may not suffice. Test the mounting feature on a patched, non‑production machine before committing to any change.

You can also leverage Windows’ built‑in VSS (Volume Shadow Copy Service) writers to back up critical data without relying on the blocked driver, though this approach sacrifices the convenience of full disk images.

For developers

If you are a software vendor whose product depends on psmounterex.sys, your immediate recourse is to migrate to a user‑mode mounting solution using the Windows Mount Manager API or the OpenVirtualDisk API. These APIs do not require a kernel driver and are immune to the driver blocklist. For older product versions already in the field, you can release a patch that replaces the driver with a user‑mode DLL and repackages existing backup archives to be mountable without it. Microsoft has published a migration guide on its driver development portal, but it requires a thorough rewrite of the I/O stack.

The broader picture: kernel driver blocklist evolution

Microsoft’s aggressive driver blocklist is part of a multi‑year effort to lock down the Windows kernel. With the rise of bring‑your‑own‑vulnerable‑driver (BYOVD) attacks, in which attackers deliberately load a legitimate but vulnerable driver to gain kernel privileges, the blocklist has become an essential defense. Over 2,000 drivers are now blocked, including those from hardware vendors like ASUS and Gigabyte. However, each new addition risks collateral damage, as seen here.

The Windows 11 24H2 update further tightened restrictions by enforcing Memory Integrity (HVCI) and blocking all drivers not compliant with the WHQL signing process. Microsoft has indicated that future Windows releases will require all drivers to be validated through the Windows Hardware Compatibility Program, potentially phasing out legacy kernel drivers entirely.

For the backup industry, this signals the end of kernel‑mode image mounting. The recovery community must adapt to user‑mode alternatives, even if those alternatives offer slightly lower performance or lack some features like writable mounts. The change mirrors Apple’s macOS transition where kernel extensions (KEXTs) were deprecated in favor of System Extensions.

What to expect next

Looking ahead, Microsoft is unlikely to remove psmounterex.sys from the blocklist once a CVE is assigned and the driver is considered vulnerable. The security team rarely reverses such decisions unless the vendor can prove the driver has been fixed and re‑submit it for WHQL certification. Instead, pressure will mount on backup vendors to accelerate their update cycles.

Macrium has promised a beta release within four weeks that uses a new, Microsoft‑approved mounting engine. Veeam already has a hotfix available for its latest version. Users of older, unsupported backup software may need to purchase a current version or switch to a different solution. The incident serves as a stark reminder that any software relying on kernel‑mode components must have a maintenance plan to keep up with Windows’ evolving security posture.

For now, the best advice is to check your backup software’s update channel daily, test your restores regularly, and — if possible — maintain at least one backup method that does not depend on third‑party drivers. The native Windows Backup and Restore (Windows 7) tool still works on Windows 11 and can create system images without triggering the blocklist, though it lacks the polish and features of dedicated solutions.

The KB5083769 saga highlights the ongoing tension between security and functionality. As Microsoft hardens Windows at the kernel level, the ecosystem of dependent software must evolve or be left behind. For the millions who trust disk imaging for disaster recovery, the clock is ticking to find a stable path forward.