Microsoft Holds the Line on Windows 11 Block That Broke Backup Apps

Microsoft has confirmed that its April 14, 2026 Windows 11 security update (KB5083769 and the April 30 preview KB5083631) is intentionally blocking third-party backup tools from mounting disk images, and it has no plan to back down. The block targets psmounterex.sys, a signed kernel driver used by Acronis, NinjaOne Backup, Macrium Reflect, Veeam Agent, UrBackup and Norton Cloud Backup. Microsoft says the driver carries known privilege-escalation flaws and will stay on the vulnerable-driver blocklist. Affected users on Windows 11 24H2 and 25H2 are being told to wait for a vendor patch, not roll the update back.

The standoff has played out in real time over the last two weeks, with Acronis publishing a support note on April 16, 2026 telling customers to uninstall the patch, and Microsoft publishing a contradicting advisory two days later telling them not to. The disagreement matters because backup creation works fine on most affected machines. It’s the mount and restore step, the moment users actually need their backups, that breaks.

Why Microsoft Drew a Line This Time

Microsoft’s position is that psmounterex.sys is no longer safe to load. Two privilege-escalation bugs, CVE-2025-11983 and CVE-2025-14276, were disclosed by researchers at Zscaler and Cisco Talos late last year, both rated 7.8 on the CVSS 3.1 scale. Either flaw lets a standard user send a crafted IOCTL to the driver and run code in kernel mode. Because the driver is signed, attackers can drop it onto a fresh machine and abuse it even if no backup software is installed. That’s the textbook bring-your-own-vulnerable-driver attack pattern, and the federal government has been pushing Microsoft hard to shorten the window between disclosure and blocklist enforcement.

The result is a sharp departure from how Microsoft has handled signed-driver flaws in the past. Vendors used to get months of warning before a driver landed on the blocklist. This time the gap was weeks.

“This intentional change of behavior is designed to protect devices against known vulnerabilities in the psmounterex.sys kernel driver. Following the installation of Windows updates released on or after April 14, 2026, Windows Code Integrity enforcement will block vulnerable versions of this driver from loading when the Microsoft vulnerable driver blocklist is enabled.” Microsoft’s April 18, 2026 support note.

The Backup Apps Caught in the Crossfire

The list of affected products grew quickly once the update reached general availability. Acronis was first to publish a vendor-side advisory. Independent IT shops on BleepingComputer’s reporting on the April rollout reported the same VSS timeout signature across multiple products, suggesting the block has secondary effects on Volume Shadow Copy Service operations even when an image mount isn’t being attempted.

The Driver at the Center of It

The psmounterex.sys driver started life inside Paragon Software’s disk-imaging stack and got licensed into a half dozen consumer and enterprise backup products over the last decade. Its job is narrow: take an image file sitting on disk and mount it as a virtual drive so File Explorer can browse the contents. That’s the feature your IT person uses when they need to pull one Outlook PST out of last Tuesday’s full-system image without restoring the whole machine.

The vulnerability researchers found in psmounterex.sys is the kind of bug that quietly haunts the Windows kernel driver universe. The driver accepts I/O control codes from user mode without enough validation. A regular user account can craft a request that ends up writing to kernel memory. Game over for a standard-user privilege boundary.

Northwave Cyber Security’s vulnerability team documented an out-of-bounds read in earlier psmounterex builds, and a related out-of-bounds write was disclosed in the same family. Patched driver versions 7.0.23.0 and 7.0.23.1 are what shipped to fix both.

Here is the catch most coverage skipped. Backup creation itself usually still works, because creation talks to VSS, not to psmounterex. Image mounting and image-based file restore are what the driver actually powers. So a customer can sit on weeks of “green” backup logs and only discover the block the day they try to restore a file.

That second-order effect, silent backups that look healthy until you need them, is the worst possible failure mode for a backup product. It is why Acronis and NinjaOne both moved to public advisories within 48 hours of the patch landing.

How to Tell If Your PC Is One of Them

Windows logs every blocked driver load attempt to a specific Event Viewer channel, so checking takes about 30 seconds. The signature you want is Event ID 3077 in the Code Integrity Operational log, which Microsoft documents as the enforced-policy block event in its Code Integrity Event Log Messages reference.

1. Right-click Start, choose Event Viewer.
2. In the left pane navigate to: Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational.
3. Filter the log: right-click Operational, choose Filter Current Log, and enter Event ID 3077.
4. Read the event detail. The driver name will be listed near the top, alongside the process that tried to load it.
5. If you see psmounterex.sys, you are affected. The exact backup product trying to load it appears as the parent process.

By the Numbers

The scope of this single update is easy to miss in a wire summary. The data points sitting underneath it tell a sharper story about how aggressive Microsoft has become with kernel-driver enforcement.

• April 14, 2026. Patch Tuesday release date for KB5083769, the cumulative that flipped the block on.
• 7.8 CVSS. Severity rating for both psmounterex.sys flaws disclosed by Zscaler and Cisco Talos.
• 6 named vendors. Acronis, Macrium, NinjaOne, UrBackup, Veeam Agent and Norton Cloud Backup all relied on the same driver lineage.
• 2 days. Gap between Acronis telling users to uninstall and Microsoft telling them not to.
• Event ID 3077. The single Windows event that confirms a driver was blocked under enforced policy.
• April 2, 2026. Date Paragon shipped Hard Disk Manager 18 with the patched driver, twelve days before the block landed.

The Registry Bypass Microsoft Quietly Hates

For users who cannot wait for a vendor fix, a one-line registry edit will turn the blocklist off. The command, run from an elevated Command Prompt, sets the VulnerableDriverBlocklistEnable value under HKLM\\SYSTEM\\CurrentControlSet\\Control\\CI\\Config to zero. After a reboot, the driver loads again and the backup software returns to normal.

This is also exactly the registry key that ransomware crews target when they want to load their own malicious driver onto a victim machine. Sigma rule libraries from the SigmaHQ detection community already flag any modification to this value as a high-severity EDR-bypass indicator. Disabling the blocklist on a personal machine to recover one PST file is one thing. Doing it on a fleet of corporate endpoints to keep an old backup product running is, in most threat models, worse than the original vulnerability.

That is the implicit reason Microsoft refuses to pull KB5083769. Reverting the block on hundreds of millions of machines to keep one driver alive would invite exactly the BYOVD attacks the block was designed to stop.

What Each Vendor Is Telling Users Now

Vendor responses have split into two camps over the last fortnight. Some shipped a patched driver before the block landed. Others are still moving. The cleanest view comes from comparing the public advisories side by side.

• Paragon. Updated and ahead. Hard Disk Manager 18 with driver 7.0.23.1 was released on April 2, 2026, before Patch Tuesday, in coordinated disclosure with Microsoft.
• Acronis. KB-69025 directs Cyber Protect Cloud users to switch the snapshot provider to Acronis’s proprietary VSS driver, which does not depend on psmounterex.
• Macrium. Reflect Free v8 is end-of-life. Users are pushed to the current Reflect X line, which uses a different mount stack.
• NinjaOne. A driver update is in regression testing as of late April. The vendor is shipping interim guidance to MSPs through its support portal.
• UrBackup. Open-source patch tracked on the project’s issue tracker. Maintainers have flagged a community build for early May 2026.

Enterprise IT admins who run mixed fleets are mostly choosing a third path. They are leaving KB5083769 installed, accepting that image-mount restores will fail for now, and using file-level restore from cloud backup as the interim recovery method until vendor patches certify out.

Frequently Asked Questions

Should I uninstall KB5083769 to fix my backup software?

Microsoft is explicitly advising against it. Uninstalling the patch removes a long list of unrelated security fixes shipped in the same cumulative, and the next monthly update will reinstall the block anyway. The recommended path is to update your backup software to a version that uses the patched driver (7.0.23.0 or later) or that does not depend on psmounterex.sys at all.

Will my scheduled backups still run after KB5083769?

In most cases yes. Backup creation usually goes through Volume Shadow Copy Service and does not load psmounterex.sys. The block hits when you try to mount an existing image file as a virtual drive to browse or restore individual files. That means a backup job can show “Success” while restoring from it silently fails, which is why vendors moved fast on advisories.

Which Windows 11 versions are affected?

The block targets Windows 11 24H2 and 25H2, both Pro and Home editions. Older releases including Windows 11 23H2, 22H2 and 21H2 are not on the April 14, 2026 enforcement schedule. Windows Server builds running the equivalent monthly cumulatives have been seeing the same kernel block on internal forums.

Is the registry hack to disable the blocklist safe?

Not on any machine that touches sensitive data. Setting VulnerableDriverBlocklistEnable to zero turns off Windows Code Integrity’s BYOVD defense across the entire system. Endpoint detection products from Microsoft, CrowdStrike and SentinelOne treat that registry change as a high-confidence indicator of compromise. Use it only on isolated test boxes, and revert to one when finished.

How do I know if a driver is being blocked on my PC?

Open Event Viewer, navigate to Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational, and filter for Event ID 3077. Any blocked driver load shows up there with the driver name and the process that tried to load it. If psmounterex.sys appears, your backup software is the cause.

The bigger picture for Windows users is that signed does not mean safe anymore. Microsoft has spent years pushing the vulnerable-driver blocklist from an opt-in curiosity into the default kernel security boundary, and the April update is the loudest signal yet that the company will sacrifice third-party app compatibility to shut down BYOVD attacks on schedule.

For now the practical move is to verify your backup vendor has shipped a 7.0.23.0-or-later driver, run a test restore in May 2026 before you actually need one, and treat any green backup log as unproven until you can mount the image and read a file out of it.