VYPR
patchPublished May 4, 2026· Updated May 17, 2026· 1 source

Microsoft Confirms April Updates Break Backup Software via Driver Blocklist

Microsoft's April 2026 security updates are causing widespread failures in third-party backup software by blocking a vulnerable kernel driver, forcing users to update their applications to restore functionality.

Microsoft has officially confirmed that the April 2026 security updates are triggering widespread failures in third-party backup software. The issue stems from a security hardening measure that adds the psmounterex.sys kernel driver to the Windows Vulnerable Driver Blocklist, effectively preventing the driver from loading on affected systems BleepingComputer.

The technical root of this disruption is the inclusion of psmounterex.sys in the blocklist to mitigate a high-severity buffer overflow vulnerability, tracked as CVE-2023-43896. This vulnerability, if exploited, could allow an attacker to escalate privileges or execute arbitrary code at the kernel level. By blocking the driver via Windows Code Integrity enforcement, Microsoft aims to prevent this attack vector, but the action inadvertently breaks the functionality of backup applications that rely on this specific driver to mount or manage disk images BleepingComputer.

The impact is significant for users of various backup solutions, including products from Macrium (Reflect), Acronis (Cyber Protect Cloud), UrBackup Server, and NinjaOne Backup. While full image backups may still complete, users are reporting that mounting backup images as virtual drives fails, often resulting in timeouts or errors such as VSS_E_BAD_STATE. The Volume Shadow Copy Service (VSS) is frequently timing out during snapshot creation, leading to failed recovery operations BleepingComputer.

Administrators can verify if their systems are affected by checking the Event Viewer. Specifically, they should navigate to Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational and search for Event ID 3077, which references Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816}. This event confirms that the psmounterex.sys driver has been blocked in enforcement mode BleepingComputer.

Microsoft has explicitly advised against uninstalling or pausing the April security updates, emphasizing that the blocklist is necessary for system security. Instead, the company recommends that affected users update their backup applications to the latest versions, which should incorporate newer, non-vulnerable drivers. Microsoft maintains that customers must validate their software against the driver blocklist to ensure they remain protected while restoring backup functionality BleepingComputer.

This incident highlights the ongoing tension between aggressive security hardening and operational stability in enterprise environments. As Microsoft continues to expand its Vulnerable Driver Blocklist to combat kernel-level threats, software vendors must keep pace by updating legacy components that rely on flagged drivers. Organizations should prioritize testing security updates in staging environments to identify potential conflicts with critical infrastructure tools like backup software before a wider deployment BleepingComputer.

Synthesized by Vypr AI
Microsoft Confirms April Updates Break Backup Software via Driver Blocklist · VYPR