Microsoft’s April 14, 2026 security update for Windows 11, KB5083769, is preventing Macrium Reflect and other third-party backup tools from mounting disk images. The root cause is a strengthened vulnerable driver blocklist that now flags psmounterex.sys, a kernel-level component used by Macrium for mounting backup images as virtual drives. Users who install the update find that previously reliable restore workflows break without warning.

The later optional preview update KB5083631 for Windows 11 version 24H2 and higher carries the same block. It extends the incompatible driver list automatically, even if users had previously allowed the driver through registry overrides. This aggressive enforcement is a significant departure from earlier practices where Microsoft typically gave vendors months of notice before blocking a signed driver.

Affected users see an error when attempting to mount a Reflect backup image: “Unable to mount image – the specified service has been marked for deletion” or, in some cases, a silent failure where the mounted volume simply does not appear in File Explorer. For IT professionals and home users alike, the inability to mount a backup image for granular file recovery undermines the very purpose of maintaining regular backups.

What Is Actually Being Blocked?

The blocked component, psmounterex.sys, is a legacy filesystem filter driver that Macrium Reflect has used for over a decade. It enables Windows to treat a Reflect backup file (.mrimg) as a mountable disk volume. When the driver is blocked, Windows refuses to load it, and the mount operation fails. Macrium had been gradually transitioning to a newer, more secure mounting architecture based on WinFsp, but millions of installations still rely on the old driver.

Microsoft has not publicly disclosed the precise vulnerability in psmounterex.sys. However, the driver had been flagged by security researchers in late 2025 for potential privilege escalation due to improper access control on its device object. The vulnerable driver blocklist (VDB), managed via the Windows Defender Application Control (WDAC) policy, is designed to prevent exactly such kernel-mode drivers from being exploited. In KB5083769, Microsoft simply added the driver’s hash and file information to the blocklist that ships with the security update.

Why Now? The Evolution of the Vulnerable Driver Blocklist

The VDB has been a part of Windows since 2022, but enforcement was opt-in for years. In 2025, Microsoft began enabling it by default on all Secured-core PCs and, with Windows 11 version 24H2, on any system that meets certain security baselines. KB5083769 takes the final step: it activates the blocklist on all Windows 11 devices, regardless of hardware security capabilities, via a mandatory security update.

The blocklist is implemented as a WDAC policy stored in %SystemRoot%\System32\CodeIntegrity\driversipolicy.p7b. When Windows boots, the kernel-mode Code Integrity component reads this policy and refuses to load any driver whose hash or signing certificate appears on the list. The policy is sealed; it cannot be modified by users or administrators without disabling Secure Boot or using driver blocklist override mechanisms—which Microsoft has steadily been restricting.

In previous updates, users could add a specific driver to an allow list by creating a registry key under HKLM\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy, but that escape hatch was partly closed in KB5083769. The registry override only works if the system is booted with the testsigning option enabled, which itself disables Secure Boot and many security features. This makes the workaround impractical for production machines.

Impact on Macrium Reflect Users

Forums and social media erupted with complaints within hours of the KB5083769 release. The problem affects:

  • All supported versions of Windows 11 (21H2, 22H2, 23H2, 24H2, and the 25H2 preview)
  • Macrium Reflect 8 Home and Workstation editions (all builds)
  • Macrium Reflect 7 and earlier (out of support but widely used)
  • Potentially other backup tools that relied on similar legacy mount drivers, including a few older versions of Acronis True Image and EaseUS Todo Backup

Enterprise deployments using Macrium Reflect Server Plus and Macrium Site Manager saw mass failures of automated recovery verification tasks. One IT administrator wrote on a widely read forum: “Our nightly backup checks suddenly failed on 43 servers. We spent six hours tracing it to KB5083769. Rolling back the update is not an option because it patches a zero-day.”

Home users faced a more confusing situation. The update installs automatically on Windows 11 Home, and the first sign of trouble often came when a user tried to recover a single file after a ransomware scare or accidental deletion. Without the ability to mount the backup, the only alternative was to perform a full restore—a risky and time-consuming operation.

Official Responses and Workarounds

Macrium Software acknowledged the issue on April 15, 2026, within 24 hours of the update’s release. The company stated that the block was “unexpected” and that they had been in communication with Microsoft to get the driver re-signed or to expedite the transition to their newer mounting service. A spokesperson noted: “We are working to have psmounterex.sys removed from the blocklist, but this requires a security review that can take weeks. In the meantime, users should avoid installing KB5083769 or, if already installed, use alternative recovery methods.”

Microsoft has not issued an official statement about this specific driver block. The Security Response Center’s guidance on the VDB emphasizes that blocked drivers are “identified as vulnerable to exploitation” and that “Microsoft recommends that driver developers update their drivers to address any identified vulnerabilities.”

For users who cannot wait, several workarounds exist, each with trade-offs:

  • Uninstall the update: KB5083769 can be removed via Settings → Windows Update → Update history → Uninstall updates. This restores image mounting but also removes critical security fixes, including a patch for a remote code execution vulnerability in the Windows Kernel (CVE-2026-21878) that had been actively exploited. Reverting is not recommended for any internet-connected machine.
  • Use Macrium Reflect’s WinPE recovery media: The standalone bootable environment bypasses the blocklist because it loads before the VDB policy. Users can boot from a Reflect rescue USB, mount the image in the WinPE environment, and copy out needed files. This is cumbersome but safe.
  • Disable the vulnerable driver blocklist entirely: This can be done by booting into the Windows Recovery Environment, opening a command prompt, and deleting the file driversipolicy.p7b from C:\\Windows\\System32\\CodeIntegrity. However, this leaves the system completely unprotected and may be reverted by future updates. It also triggers a security alert in Windows Defender.
  • Temporary registry override (limited): On some Windows 11 Pro and Enterprise systems, adding the driver’s attributes to the registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy under a new subkey with the driver’s file name and disabling policy enforcement might work, but Microsoft has constrained this method; it requires Secure Boot off and may fail on newer builds.
  • Switch to Macrium Reflect X: Macrium’s next-generation product, Reflect X, eliminated the legacy mount driver and uses WinFsp user-mode mounting by default. Users on active support contracts can upgrade for free. The migration requires re-creating backup definitions, but the backup file format remains compatible.

Broader Implications for Backup Software and Windows Security

This incident highlights an intensifying conflict between Microsoft’s security agenda and the legacy driver ecosystem. The vulnerable driver blocklist has been an effective tool for neutralizing known attack vectors, but its unilateral expansion via monthly security updates creates chaos for ISVs whose drivers have not been updated or who were not given adequate notice.

Macrium is not alone. In late 2025, a similar blocklist update broke a popular VPN’s virtual adapter driver, and earlier in 2026, a diagnostic tool from a major PC manufacturer was blocked for a week. The pattern suggests that Microsoft is prioritizing rapid security response over backward compatibility, a shift that may be inevitable but is certainly painful.

For IT decision-makers, the lesson is clear: regular external-facing security updates can now break critical infrastructure tools. Testing updates in a staging environment before deployment is essential, but even that may not reveal mount failures unless specific restore scenarios are tested. Some organizations are now running parallel backup solutions with different mounting mechanisms to ensure recoverability.

Community discussions reflect a mix of frustration and understanding. Many users appreciate Microsoft’s efforts to lock down the kernel but feel that better communication and a phased rollout would have been more appropriate. The fact that the block happened without an advance warning in the Windows Update health dashboard has drawn particular criticism. The dashboard, intended to document known issues with updates, did not list the Macrium Reflect problem until April 17, two days after users flooded support channels.

What Should You Do Right Now?

If you rely on Macrium Reflect to mount backup images for file-level recovery:

  • Check your update status: Open Windows Update, click “Update history,” and look for KB5083769 or KB5083631. If installed and you need image mounting immediately, consider uninstalling—but only after ensuring you have alternative security measures, such as network isolation.
  • Prepare a recovery USB: Create Macrium Reflect rescue media (bootable USB) and test that you can mount an image within that environment. Keep this USB handy.
  • Evaluate upgrading to Reflect X: If your license allows, upgrading to the version that uses the new mount service is the most permanent fix.
  • Monitor Macrium’s support page: The company has committed to providing updates on the driver re-signing process and may release a hotfix that replaces psmounterex.sys with a newly signed version once Microsoft approves it.
  • Watch for a Microsoft reversal: Occasionally, Microsoft removes a driver from the blocklist after re-evaluation or under partner pressure. Keep an eye on the Windows release health dashboard for any updates regarding KB5083769 known issues.

Looking Ahead

The tension between securing the Windows platform and maintaining compatibility with essential third-party utilities will only grow. Microsoft’s rapid update cadence, combined with deeper kernel protections, means ISVs must modernize their driver stacks or risk being left behind. For users, the days of “set and forget” backup verification are over; proactive testing and contingency planning are now mandatory.

Macrium Reflect’s next iteration, Reflect X, shows the path forward: moving mounting logic out of the kernel and into user space, where a blocklist cannot reach. However, that migration takes time and resources. In the interim, outages like the one caused by KB5083769 will become more common, underscoring the need for IT teams to plan for compatibility breaks as seriously as they plan for security threats.

The immediate focus is on a fix that restores image mounting without exposing users to the underlying vulnerability. Whether that comes from Microsoft relaxing the block or Macrium delivering a re-architected driver, the coming weeks will determine how quickly normal backup workflows can resume for the millions who depend on them.