"In the April 2026 Windows security update, we added known vulnerable kernel driver psmounterex.sys to the Vulnerable Driver Blocklist," Microsoft told BleepingComputer.
What Microsoft changed and why
Microsoft confirmed its April 2026 security updates include a security hardening change that adds the kernel driver psmounterex.sys to the company’s Vulnerable Driver Blocklist. The change is intended to defend users against exploits targeting a high-severity buffer overflow vulnerability tracked as CVE-2023-43896, which Microsoft says can allow attackers to escalate privileges or execute arbitrary code.
Products and operating systems affected
Third-party backup products that rely on the psmounterex.sys driver have been reported to experience failures. The issue affects, but is not limited to, Macrium (Reflect), Acronis (Cyber Protect Cloud), UrBackup Server, and NinjaOne Backup running on Windows 11, Windows Server, and Windows 10 devices.
How the failures present for IT admins and users
- Backup applications that rely on psmounterex.sys may fail to mount backup image files as virtual drives.
- Attempting to browse or restore from a backup image can result in errors or timeouts; Microsoft and reporting cite messages such as "The backup has failed because Microsoft VSS has timed out during the snapshot creation" or VSS_E_BAD_STATE.
- Event Viewer may show Code Integrity errors indicating that psmounterex.sys was blocked from loading. Administrators can look for Event ID 3077 with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816} in the Code Integrity Operational log to confirm the driver was blocked in enforcement mode.
- Full image backup creation may still succeed, while image-mount operations fail.
Mitigations Microsoft and vendors recommend
Microsoft advised customers not to uninstall or pause the April security updates. Instead, affected customers should install the latest versions of their backup applications; vendors' newer application builds include updated drivers that incorporate the protections Microsoft requires. Microsoft also advised customers to validate their applications against the driver blocklist to remain protected.
How technologists, affected enterprises, and end users should respond
- Technologists and security teams: Check the Code Integrity Operational log for Event ID 3077 and the Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816} to confirm whether psmounterex.sys was blocked, and prioritize testing of image-mount operations even if full backups complete.
- Affected enterprises and procurement leaders: Coordinate with backup vendors to obtain and validate updated application versions that include the newer driver, and avoid rolling back the Microsoft updates while fixes are deployed.
- End users and backup administrators: If you encounter mount failures or VSS timeouts, follow vendor guidance to update the backup application and check Event Viewer for Code Integrity messages rather than uninstalling Windows updates.
Microsoft also issued out-of-band updates to address other Windows Server issues after the April updates; earlier this month the company warned that some Windows Server 2025 devices may boot into BitLocker recovery mode prompting entry of the BitLocker key after installing KB5082063. Those server-side fixes addressed update installation failures and restart loops observed after the April security updates.
The immediate, concrete path is narrow: do not remove Microsoft’s patches, confirm whether psmounterex.sys is being blocked using the specified Event ID and Policy ID, and upgrade affected backup software to versions that ship drivers with the required protections. That sequence preserves the security hardening Microsoft put in place to mitigate CVE-2023-43896 while restoring image-mount functionality through vendor updates.
