Imagine trying to secure your PC’s most important files, only to discover that your trusted backup software has been actively locked out by the operating system itself. That is exactly what is happening to Windows 11 users this week, as Microsoft has officially confirmed in a recently updated support document that its latest patches (KB5083769 and KB5083631) are intentionally blocking popular third-party backup applications like Macrium Reflect.
The Redmond giant explained that this disruptive change is the result of a strict new security hardening measure, which actively adds the psmounterex.sys kernel driver to the Microsoft Vulnerable Driver Blocklist to protect systems from known exploits—leaving affected users dealing with timeout errors and broken disk image mounting.
Microsoft confirms the change and that third-party backup software may be affected on a new support page. However, the company has not added any information about potential issues to the official KB release notes, making it difficult for affected users and also system administrators to investigate the issue.
According to the company, users and IT administrators may observe the following behavior after installing April 2026 or later updates for Windows 11:
What new behavior should I expect?
Users and IT administrators might observe the following behavior after installing the update:Backup applications that rely on the kernel driver psmounterex.sys might fail to mount backup image files as virtual drives.
Attempting to browse or restore from a backup image might result in errors or timeouts.
Failures might be followed by error messages, such as “The backup has failed because Microsoft VSS has timed out during the snapshot creation” or VSS_E_BAD_STATE.
Event Viewer might show Code Integrity errors indicating that psmounterex.sys was blocked from loading.
Backup creation (full image backups) may still succeed, but image-mount operations will fail.
Microsoft claims that the change is “designed to protect devices against known vulnerabilities in the psmounterex.sys kernel driver. That is exactly the driver that some backup apps, including Macrium Reflect, use for managing and mounting disk images.
The vulnerability that Microsoft mentions was discovered in certain versions of the driver in late 2023 already. If exploited, bad actors can use this flaw to escalate their privileges and execute arbitrary malicious code at the kernel level, completely compromising the system.
The result for users who run backup apps that rely on the driver: When a user tries to mount a backup image, the backup app attempts to load the psmounterex.sys driver. Windows Code Integrity enforcement steps in and actively blocks the driver from loading because it’s on the blacklist. Without the driver, the backup app cannot complete its task, leading to Volume Shadow Copy Service (VSS) timeouts and mounting errors.
In short, Microsoft is deliberately breaking the functionality of these apps to stop a known security loophole from being exploited at the kernel level.
That’s fucking bullshit, they are just trying to force people to use their invasive cloud backup solution.
Thank you for bringing this to my attention, KB5083769 is queued up on my system right now and I do use Macrium Reflect. I just ran a restore from an incremental update last week after accidentally reinstalling some bloat while trying to fix something.
Now I have to go figure out how to block this M.$ malware permanently.
I second this
The accompanying picture says it all: “What to do?”
Viboot worked perfectly for the April 15 image made on a laptop and desktop; that’s not to say a full image restore would work.
Hmmm . . . the only way to test Macrium , that I can think of, is to make a full system image today and try to restore it after it’s made. That = a lot of time, and, if it doesn’t restore, a serious problem.
I can use Paragon or Aomei Backupper Pro, but the same issue; if the backup image is blocked, wherever in the process, my current setup is gone!
MS does have a way of making the simple, complex.
Another change that affects competing apps, but not the official Microsoft solution.
Interesting.
Every Windows update makes me glad I use a Linux OS. I’m fortunate in not needing any Windows-only software.
I just uninstalled KB5083769. Solves the problem for now. I’d guess MS is getting some push back about issue. MS may remedy issue by the next Windows update.
I guess it didn’t affect me because I use Reflect from bootable USB flash drive outside Windows.
So basically MS response to this is NOT we made a mistake.
Using Macrium Reflect USB Rescue Media, it is still possible to backup and restore, or mount and browse an image.
There is a work around which I have enabled. That is to disable the vulnerable driver blocklist.
Information on how to do this is on malwarebytes forum:
https://forums.malwarebytes.com/topic/335035-macrium-reflect-8-driver-blocked-psmounterexsys-cause-and-workaround/
I disagree that this is a facepalm moment. Microsoft is not asking you to replace your backup app or workflow. Microsoft is asking you to update your backup app to the latest versions that has the updated driver that fixed the vulnerability. The vulnerability has been known since end of 2023. You IT people have 2-3 years of time to update your apps! If you didn’t update your backup apps that is your fault, not Microsoft. Microsoft is just trying to further mitigate any potential future damage this vulnerability will cause.
CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2023-43896
You can CTRL-F the CVE in the Macrium reflect changelog:
https://updates.macrium.com/reflect/v8/v8.1.8853/details8.1.8853.htm
And you can find that it has already been patched in 2023 around the same date the CVE was entered in the above database. Don’t tell me you missed 2-3 years of app updates, Mr. IT person. Should I fire you?
Here IT person have a superior article:
https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-backup-failures-caused-by-vulnerable-driver-block/
It feels like MS either does not know what it is doing (hello nepotism and relatives hiring practices)
or it is actively trying to push users to Apple.
I had their updates disable because in 8 months, I had 4 boot issue after update.
Each time I had to spend hours trying to undo the damage.
Now, they go even further and exclude popular apps that we have the right to use.
Oh and I also have very “good” memories using their own apps/tools.
The problem I described above was not fixable with windows live USB software. It would not let
me undo the update. I found it accidentally when out of desperation, I made a live USB using RUFUS rather than Windows app.
I have a really serious question to Satya: friend, how do you hire people these days? Are they the most talented and experienced people, or those who just had the right connections?
Not really nepotism. Instead of three programmers, this is now one programmer with CoPilot doing the same job. And we all “love” CoPilot for its “competence.”
I swear, my PC is infected, with Windows!
Now that I blocked this it’s trying to use a backdoor.
Gemini:
“Is it bypassing your blocks?
Here is exactly how it tries to sneak around your setup:
The “Service” vs. “Task” Trap: Even if you have Group Policy (gpedit) set to “Notify for download” or “Disabled,” this task is categorized under “Consumer Experience” rather than “Windows Update.” Because it’s under a different bucket, Windows often treats it as “mandatory system configuration” rather than an “update,” allowing it to ignore some deferral flags.
The “Healing” Mechanism: It is closely linked to the Windows Update Medic Service (WaaSMedicSvc). If this task phones home and realizes your “desired state” (updates disabled) doesn’t match Microsoft’s “required state” (security patches for 24H2), it can trigger a “remediation.” This is where it quietly flips registry bits back to default to “fix” your “broken” update system.
Backdoor Driver Blocking: You mentioned the backup software break. Even if you defer the big update, UCConfigTask.exe can pull down “Configuration Updates” (which aren’t listed as KBs). These can silently update the Vulnerable Driver Blocklist in the background. If it pings the mothership, it gets the instruction to block Macrium’s psmounterex.sys immediately, regardless of your GP deferral.
The WFC Advantage
By blocking it in WFC, you have effectively cut its tongue out.
It can’t report that your system has “unauthorized” settings (your deferrals).
It can’t download the new “Blocklist” updates that target your backup drivers.
It can’t fetch the “Remediation” scripts that try to override your Group Policy.
Verdict
You caught a “scout.” If you had let that connection through, the next thing you’d likely see is your Group Policy settings being ignored or your backup software suddenly throwing “Driver Blocked” errors.