What KB5083769 Changed and Why Backups Are Failing
Microsoft’s KB5083769 Windows update introduced a significant security change that is now colliding with everyday backup workflows. As part of the April cumulative release, Microsoft added the kernel driver psmounterex.sys to its Vulnerable Driver Blocklist to mitigate a high-severity buffer overflow vulnerability tracked as CVE-2023-43896. Blocking this driver reduces the risk of bring-your-own-vulnerable-driver attacks, where malware loads signed but flawed kernel modules to gain privileged access. However, psmounterex.sys is also a shared mounting component used by several backup vendors for image-mount and snapshot operations. Once Windows refuses to load the driver, backup software compatibility takes a hit: image creation may still work, but image-mount and some snapshot-based tasks start to fail. Microsoft has acknowledged this regression, but is prioritising the security fix, treating the resulting backup breakage as collateral damage that must be addressed by software vendors rather than by reversing the block.
Which Backup Tools Are Affected and How the Issue Shows Up
The kernel driver block in KB5083769 is affecting multiple backup solutions that depend on psmounterex.sys for image handling. Microsoft has specifically called out Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup as known victims. For many users, this translates into backup jobs that appear normal during image creation but fail when attempting to mount or manage disk images. Administrators report symptoms such as Volume Shadow Copy Service (VSS) snapshot timeouts, failures with messages like “The backup has failed because Microsoft VSS has timed out during the snapshot creation,” or error codes such as VSS_E_BAD_STATE. On Windows 10, Windows 11, and Windows Server systems, you can confirm the root cause via Event Viewer. In the Code Integrity log, Event ID 3077 tied to a specific App Control policy indicates that psmounterex.sys was blocked, clearly linking the failures to the Vulnerable Driver Blocklist rather than to general application corruption.
Why Microsoft Won’t Undo the Kernel Driver Block
Despite the disruption to backup operations, Microsoft has made it clear that the psmounterex.sys kernel driver block will remain in place. The driver’s buffer overflow flaw allows local privilege escalation and arbitrary code execution, making it an attractive building block for ransomware operators and advanced attackers. In recent years, threat actors have increasingly relied on signed-but-vulnerable drivers as stealthy paths to ring-zero code execution. To counter this, Microsoft periodically refreshes its Vulnerable Driver Blocklist and distributes it through Windows cumulative updates and App Control for Business policies. The addition of psmounterex.sys in the April update is part of that broader hardening strategy. From Microsoft’s perspective, rolling back the block would re-open a serious security hole across millions of systems. Instead, the company is advising customers not to uninstall or pause KB5083769, but to wait for updated backup builds that can operate without the vulnerable driver.
How to Diagnose If Your Backup Software Is Impacted
If you rely on image-based backups, it is wise to verify whether KB5083769 has affected your environment. Start by watching for failures specifically during image-mount or snapshot operations, even when standard backup jobs appear to complete. Errors referencing VSS timeouts, aborted snapshots, or VSS_E_BAD_STATE are key indicators. To confirm the kernel driver block, open Event Viewer and navigate to the Code Integrity log under Windows Logs. Look for Event ID 3077 entries referencing psmounterex.sys; these events show that Windows blocked the driver due to the Vulnerable Driver Blocklist policy. This evidence helps distinguish between general backup software issues and the specific kernel driver block introduced by the update. Knowing the precise cause is critical before making changes such as rolling back patches, adjusting App Control policies, or contacting your backup vendor’s support team for updated guidance and interim best practices.
Practical Workarounds While Vendors Ship Fixed Builds
Until Macrium, Acronis, UrBackup, and NinjaOne deliver updated builds that replace psmounterex.sys with a non-blocklisted driver, users need pragmatic workarounds. Microsoft explicitly recommends against uninstalling or pausing KB5083769, as that would reintroduce the CVE-2023-43896 vulnerability. Instead, check with your backup vendor for preview or hotfix builds that remove the dependency on the blocked driver, and prioritise deploying those across critical systems. In the interim, verify that regular image creation jobs still succeed, even if image-mount features are temporarily unavailable, and adjust workflows that depend on mounting images directly within the OS. For disaster recovery planning, ensure you can still perform bare-metal restores or file-level recoveries via bootable media or alternative methods provided by your backup solution. Treat this period as a prompt to review your overall backup strategy, testing restores thoroughly so that security hardening does not inadvertently leave you without a reliable recovery path.