Why KB5083769 Is Breaking Image-Mount Backups
After installing Microsoft’s April security update KB5083769, many administrators are discovering their backup workflows suddenly failing. The issue centers on image-mount backup software that depends on a shared Windows kernel driver, psmounterex.sys, to mount or manage disk images. As part of the update, Microsoft added this driver to the Windows Vulnerable Driver Blocklist to address a high-severity buffer overflow tracked as CVE-2023-43896. Once blocked, Windows refuses to load psmounterex.sys, causing backup operations that rely on it to break. This regression affects popular tools like Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup. While backup image creation often still works, attempts to mount those images for testing, recovery, or file-level restore can fail. For many organizations, that means disrupted disaster recovery workflows and a worrying gap between having backups and being able to use them.
How the Windows Kernel Driver Block Causes Backup Failures
The core of the problem is Microsoft’s Windows kernel driver block applied through the Vulnerable Driver Blocklist. This list, enforced by App Control for Business policies, prevents known insecure drivers like psmounterex.sys from loading, even if they are legitimately signed. Attackers have increasingly abused such "bring-your-own-vulnerable-driver" flaws to gain kernel-level privileges, so Microsoft is unwilling to roll back the block. However, because psmounterex.sys is a shared image-mount driver embedded by multiple vendors, a single blocklist entry has knocked out functionality across Macrium, Acronis, UrBackup, and NinjaOne simultaneously. The update primarily breaks image-mount and snapshot operations; backups may still complete, but failures appear when creating or managing snapshots. Administrators are reporting VSS snapshot timeouts and errors such as VSS_E_BAD_STATE, signaling that Microsoft VSS cannot complete its work when the underlying mounting driver never loads.
How to Confirm KB5083769 Is the Cause of Your Backup Issues
If you suspect "KB5083769 backup broken" is your reality, Windows provides clear diagnostic clues. On affected systems, you can open Event Viewer and inspect the Code Integrity log for Event ID 3077. Entries tied to Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816} that state psmounterex.sys was blocked from loading confirm that the Vulnerable Driver Blocklist is responsible for the failure, not the backup software itself. You may also see backup jobs failing with messages such as "The backup has failed because Microsoft VSS has timed out during the snapshot creation" or similar VSS_E_BAD_STATE errors. These symptoms are consistent across Macrium Acronis Windows update complaints, as well as UrBackup and NinjaOne deployments. Knowing the root cause helps avoid unnecessary troubleshooting of storage, permissions, or VSS configuration and lets teams focus on driver and software remediation instead.
Recommended Workarounds While Vendors Patch Their Drivers
Microsoft’s official guidance is clear: do not uninstall or pause the April security update to restore backup functionality. Instead, the company recommends updating image-mount backup software to new builds that no longer depend on the blocklisted psmounterex.sys driver. Vendors including Macrium, Acronis, UrBackup, and NinjaOne are working on updated releases that ship with replacement drivers that meet Microsoft’s protections. Until those builds are available, administrators are weighing temporary workarounds. Some revert the update on non-critical machines to keep disaster recovery viable, while others disable or limit image-mount operations and rely on full restores if needed. An unofficial registry tweak circulating in communities can temporarily disable the blocklist for psmounterex.sys, but this reintroduces the same privilege-escalation risk that CVE-2023-43896 patches were meant to close. Any workaround must balance backup reliability against the heightened security exposure of allowing a known vulnerable driver.