What KB5083769 Changed and Why Backups Are Failing
The KB5083769 Windows update introduced a security hardening change that directly impacts backup software compatibility. As part of the April cumulative release, Microsoft added the psmounterex.sys kernel driver to its Vulnerable Driver Blocklist, a curated list of drivers that Windows refuses to load because attackers can abuse them. Psmounterex.sys contains a high‑severity buffer overflow (CVE‑2023‑43896) that enables local privilege escalation and arbitrary code execution, making it attractive for bring‑your‑own‑vulnerable‑driver attacks. Many backup vendors integrated this shared driver to power image-mount and snapshot operations, so once Windows began blocking it, key functions started to fail even though the backup applications themselves hadn’t changed. Image creation typically still works, but mounting, exploring, or managing disk images can suddenly break after the KB5083769 Windows update, leaving admins with backup chains that look healthy on paper yet fail during recovery or test restores.
Which Backup Tools Are Affected and How the Problem Shows Up
Several popular backup platforms are directly affected by the kernel driver blocking enforced by KB5083769 and its companion updates. Microsoft has confirmed that Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup can all encounter failures when they attempt to use psmounterex.sys for image-mount operations. The result is that Macrium and Acronis appear broken during tasks such as mounting backup images or manipulating snapshots, even though scheduled backup jobs may still appear to complete. In practice, administrators report VSS snapshot timeouts, VSS_E_BAD_STATE errors, and messages like “The backup has failed because Microsoft VSS has timed out during the snapshot creation.” These symptoms can surface across Windows 10, Windows 11, and Windows Server installations, creating confusion in mixed environments where some systems are patched and others are not, and only the updated machines suddenly exhibit these image-handling issues.
How to Confirm KB5083769 Is the Cause Using Event Viewer
Before changing configurations or rolling back software, administrators should verify that kernel driver blocking is indeed the root cause. Microsoft recommends using Event Viewer to check the Code Integrity log for a specific diagnostic signal. On affected machines, look for Event ID 3077 tied to Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816}. This event records that psmounterex.sys was blocked from loading by the Vulnerable Driver Blocklist. Seeing this entry effectively confirms that KB5083769’s security hardening is interfering with your backup solution’s image-mount operations, not a random application bug or misconfiguration. This distinction matters: the driver is blocked by design to close CVE‑2023‑43896, so simply reinstalling or repairing the backup software will not resolve the issue. Once you’ve confirmed Event ID 3077, you can focus on vendor updates and supported workarounds instead of chasing unrelated troubleshooting paths.
Microsoft’s Guidance, Risky Workarounds, and Vendor Updates
Microsoft’s official guidance is clear: do not uninstall or pause the KB5083769 Windows update just to restore backup functionality. Instead, customers are urged to update their backup software to a build that ships with the necessary driver protections and no longer depends on psmounterex.sys. Vendors including Macrium, Acronis, UrBackup, and NinjaOne are preparing updated builds that replace the blocked driver with a non‑blocklisted alternative. An unofficial registry workaround circulating among administrators disables blocklist enforcement for psmounterex.sys, but doing so reopens the same privilege escalation exposure that the security patch was designed to close. Microsoft does not endorse this approach, especially given that ransomware operators actively exploit vulnerable kernel drivers. From a risk perspective, the safer path is to keep the security update in place, monitor your vendors’ release channels, and plan to deploy their updated builds as soon as they become available in your environment.
Balancing Security Hardening with Backup Reliability
The KB5083769 kernel driver blocking issue underscores a recurring tension between tightening security and preserving software compatibility. By enforcing the Vulnerable Driver Blocklist, Microsoft is targeting a real and pressing threat class: signed but flawed drivers that attackers can weaponize for ring‑zero access. However, because psmounterex.sys was a shared component reused across multiple backup platforms, a single security decision disrupted Macrium, Acronis, UrBackup, and NinjaOne simultaneously. For administrators, the lesson is twofold. First, always assume that security updates can impact critical infrastructure like backup and recovery, and budget time for validation after patch cycles. Second, treat backups as both a security control and a fragile dependency: if security fixes silently break recovery tooling, your resilience posture suffers. Proactively testing image-mount operations, tracking Event ID 3077 alerts, and staying aligned with vendor roadmaps can help navigate this balance more effectively.