What Changed in the KB5083769 Windows Update
The KB5083769 Windows update, released as part of Microsoft’s April security rollup, quietly introduced a change with big consequences for backup tools. Microsoft added the kernel driver psmounterex.sys to its Vulnerable Driver Blocklist, a curated list of drivers that Windows will no longer load because attackers can abuse them. In this case, psmounterex.sys has a high-severity buffer overflow tracked as CVE-2023-43896, which can be used for local privilege escalation and arbitrary code execution. Blocking this driver helps prevent so‑called “bring‑your‑own‑vulnerable‑driver” attacks, where threat actors load signed but flawed drivers to gain kernel‑level access. The block is enforced through Windows App Control for Business policies and is bundled into cumulative updates, so once KB5083769 is installed, any software depending on psmounterex.sys will find the driver refused by the operating system.
Which Backup Tools Are Affected and How Problems Show Up
The kernel driver blocking decision hits several backup vendors that relied on psmounterex.sys for disk image mounting. Microsoft has confirmed that Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup can all experience failures on systems with KB5083769 installed. Importantly, image creation usually still completes; the issues surface when these tools attempt image‑mount or snapshot operations that require the blocked driver. Administrators report backup software crashes, failed jobs, and Volume Shadow Copy Service (VSS) errors such as VSS snapshot timeouts or VSS_E_BAD_STATE. In practice, this means image‑mount backups used for fast file recovery, testing restores, or browsing historical snapshots may no longer work reliably. For organizations that depend on image‑mount workflows in Macrium or Acronis, the regression can look like suddenly broken backup policies even though the root cause is a Windows driver block, not a core application bug.
How to Confirm If KB5083769 Is Breaking Your Backups
If your backup software suddenly fails after installing the KB5083769 Windows update, you can verify whether the driver blocklist is responsible. Start by reviewing recent job logs in Macrium, Acronis, UrBackup, or NinjaOne for errors during image‑mount or snapshot stages rather than during initial image creation. Then open Event Viewer and navigate to the Code Integrity log. Look for Event ID 3077 associated with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816}. When psmounterex.sys is blocked from loading, Windows records this specific event, which is the clearest signal that kernel driver blocking is behind your backup failures. If that event appears at the same time as your backup software crashes or reports snapshot issues, you can confidently attribute the problem to the Vulnerable Driver Blocklist change introduced by KB5083769 and related cumulative updates, rather than to a random software glitch or hardware fault.
Microsoft’s Guidance: Don’t Uninstall the Security Update
Although the KB5083769 Windows update is causing real pain for backup administrators, Microsoft is not backing down from the psmounterex.sys block. The company considers the underlying privilege‑escalation flaw a serious security risk frequently exploited by ransomware operators and other threat actors. As a result, Microsoft explicitly recommends that customers keep the security update in place rather than uninstalling or pausing it. From Microsoft’s perspective, broken image‑mount backups are collateral damage from a necessary hardening step against bring‑your‑own‑vulnerable‑driver attacks. Instead of rolling back the patch, Microsoft urges users to update their backup software to versions that include a safe replacement for the blocked driver or that implement the required driver protections. Until those updates are deployed, organizations must balance the temporary loss of image‑mount capability against the significantly higher risk of running with a known vulnerable kernel module loaded.
Workarounds and Next Steps for Backup Administrators
For now, the most practical workaround is to adjust workflows rather than Windows itself. Continue running image‑creation jobs, since they typically succeed even when psmounterex.sys is blocked, and avoid non‑essential image‑mount operations until your backup vendor ships an updated build. Watch for announcements and new releases from Macrium, Acronis, UrBackup, and NinjaOne that replace psmounterex.sys with a non‑blocklisted driver. In the meantime, validate that other restore paths—such as full bare‑metal recovery or file‑level restores that do not depend on image mounting—remain functional. Document any operational impact on recovery time objectives and communicate this to stakeholders so they understand that some restore options may be temporarily limited. Above all, resist the temptation to disable Microsoft’s kernel driver protections or uninstall KB5083769; doing so trades a known security fix for convenience and leaves your systems more vulnerable to modern driver‑based attacks.