What KB5083769 Changed and Why Backups Are Failing
The April KB5083769 Windows update introduced a critical security hardening step that is now causing backup software headaches. Microsoft added the kernel driver psmounterex.sys to its Vulnerable Driver Blocklist, meaning Windows will no longer load this driver on patched systems. The move is intended to mitigate CVE-2023-43896, a high‑severity buffer overflow that allows local privilege escalation and arbitrary code execution via a signed but vulnerable driver. Attackers increasingly abuse such components in bring‑your‑own‑vulnerable‑driver attacks to gain kernel‑level access. The downside is that multiple backup vendors relied on psmounterex.sys for image‑mount operations. With the driver blocked, image mounts and some snapshot‑related tasks can fail even though the backup applications themselves have not changed. This tension between locking down the kernel and preserving compatibility is at the heart of the current disruption.
Which Backup Tools Are Affected and How Problems Show Up
Microsoft confirms that the KB5083769 Windows update can interfere with several widely used backup platforms: Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup. The core symptom is not usually failed image creation but broken image‑mount and snapshot operations that depend on the now‑blocked psmounterex.sys driver. On Windows 10, Windows 11, and Windows Server, administrators are reporting backup jobs that appear to run but later fail when mounting or browsing images, often accompanied by Volume Shadow Copy Service (VSS) issues. Typical errors include messages such as “The backup has failed because Microsoft VSS has timed out during the snapshot creation” or VSS_E_BAD_STATE. These failures can be confusing because the root cause lies in kernel driver enforcement, not in obvious misconfiguration inside the backup software itself, making proper diagnosis essential before applying any workaround.
How to Check If KB5083769 Is Breaking Your Backup Software
If your Macrium Acronis backup workflows or similar tools suddenly started failing, first confirm whether KB5083769 is installed on the affected machine. Then, look for a specific Code Integrity signal that Microsoft points to as the clearest indicator. Open Event Viewer and navigate to the Code Integrity log, then search for Event ID 3077 associated with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816}. If you see entries showing that psmounterex.sys was blocked from loading, you have strong evidence that the Vulnerable Driver Blocklist enforcement, not generic VSS instability or application bugs, is the cause of your backup problems. This diagnostic step helps avoid unnecessary troubleshooting and focuses attention on obtaining updated backup software builds or implementing a temporary, carefully considered rollback strategy for affected systems.
Immediate Workarounds and Why Microsoft Says ‘Do Not Uninstall’
Microsoft’s official guidance is to keep KB5083769 installed and instead update your backup application to a version that no longer depends on the vulnerable driver. Vendors including Macrium, Acronis, UrBackup, and NinjaOne are preparing new builds that replace psmounterex.sys with a non‑blocklisted alternative, which should restore full functionality without reopening the security hole. Although some administrators have discussed uninstalling the KB5083769 Windows update or using an unofficial registry tweak to disable blocklist enforcement for this driver, both options re‑expose systems to the privilege‑escalation flaw that attackers actively seek to exploit. Microsoft does not endorse these approaches. If a temporary rollback is unavoidable on critical systems, it should be tightly scoped, closely monitored, and reversed as soon as a patched backup client is available and tested in your environment.
Security vs. Compatibility: Lessons for Backup and IT Teams
This incident underscores the ongoing friction between aggressive security hardening and third‑party software compatibility. By blocking psmounterex.sys to shut down CVE‑2023‑43896, Microsoft reduced a serious attack surface but inadvertently left administrators with backup software broken at a critical layer. Because backups are a primary defense against ransomware and other destructive attacks, any disruption has outsized operational risk, even when caused by a security fix. For IT and security teams, several lessons emerge: monitor cumulative updates like KB5083769 for known regressions, maintain a staging environment to test backup tools after each Patch Tuesday, and stay closely aligned with vendors for rapid driver and agent updates. The broader April update cycle has already produced other server and BitLocker side effects, reinforcing the need for structured patch‑management processes that balance security urgency with business continuity.