Microsoft Corporation officially confirmed on May 4, 2026, that its April 2026 security updates are causing widespread failures in third-party backup and recovery applications. The disruption is the result of a deliberate security hardening measure that added the psmounterex.sys kernel driver to the Microsoft vulnerable driver blocklist. This change, implemented to mitigate a high-severity buffer overflow vulnerability (CVE-2023-43896), prevents the driver from loading, thereby disabling critical backup functionalities such as image mounting and file-level restoration.
According to technical documentation released by Microsoft, the blocklist enforcement affects several prominent data protection suites, including Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup. While full image backups may still complete successfully in some environments, users are unable to browse or manage these images as virtual drives. Common error messages reported by IT administrators include "VSSEBAD_STATE" and notifications that the Microsoft Volume Shadow Copy Service (VSS) timed out during snapshot creation. The disruption began following the rollout of Patch Tuesday on April 14, 2026, with users reporting issues for nearly three weeks before Microsoft’s formal confirmation. While specific user counts have not been disclosed, the impact is described as widespread among enterprise clients and managed service providers (MSPs) who rely on these third-party tools for disaster recovery.
The compatibility issue spans a broad range of operating systems. Affected versions include Windows 11 (25H2, 24H2, 23H2, and 22H2), Windows 10 version 22H2, and various editions of Windows Server, including Server 2025, 2022, and 2019. The specific updates identified as the source of the conflict are KB5083769 for Windows 11 and KB5082063 for Windows Server 2025. Microsoft noted that the psmounterex.sys driver was flagged because it could allow attackers to execute arbitrary code or achieve kernel-level privilege escalation.
To verify if the blocklist is the cause of a specific failure, Microsoft directed administrators to the Code Integrity Operational log within the Windows Event Viewer. Systems experiencing the issue will record Event ID 3077 with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816}, indicating that the driver was blocked in enforcement mode.
Microsoft has stated that it does not recommend uninstalling or pausing the April 2026 updates, as they contain essential security patches. Instead, the company advises affected users to update their third-party backup software to versions that utilize compliant, non-vulnerable drivers. For instance, Macrium had previously released patches (versions 8.1.7675 and higher) to address the underlying CVE, but users running legacy versions remain blocked. The psmounterex.sys driver will remain on the blocklist indefinitely to prevent "Bring Your Own Vulnerable Driver" (BYOVD) attacks, which exploit signed but flawed drivers to bypass system security.