Microsoft: Windows 11 KB5083769, KB5083631 block backup apps like Macrium, here's why

Microsoft has blamed Macrium for the issue but there could be more to the story.

Back in 2022, Microsoft introduced a new feature in its Windows Security app called the "Microsoft Vulnerable Driver Blocklist," and earlier this year we did a write-up on with more details about the feature. It's essentially a list of compromised drivers that Windows 11/10, by default, blocks, such that user PCs don't get infected.

Today, Neowin noticed that Microsoft has confirmed that it is now blocking the Macrium Reflect driver as part of its vulnerable driver blocklist. The Redmond giant updated its April 2026 patch tuesday update (KB5083769) to confirm this. Macrium Reflect is a third-party backup application and after the April Patch, there are conflicts with the Volume Shadow Copy Service (VSS) and users can no longer mount or explore an image.

Microsoft writes: "This update introduces a security hardening change that adds known vulnerable kernel drivers to the Microsoft vulnerable driver blocklist. Backup applications that rely on blocked drivers might experience failures when attempting to mount or manage disk images. ... These apps relying on blocked drivers might display error messages, including "The backup has failed because Microsoft VSS has timed out during the snapshot creation" or VSS_E_BAD_STATE."

Since the new driver was added in the April Patch, the latest available update (optional KB5083631) will also block Macrium Reflect from working.

If you are wondering, back in October 2023, the Macrium Reflect driver, versions 8.1.7544 and below, was found to be vulnerable to out-of-bounds write attacks and privilege escalation which would allow attackers to execute arbitrary code. This could lead to corruption of the kernel heap and potentially complete loss of system integrity. This was tracked under ID CVE-2023-43896.

In a new support article about the topic, Microsoft has added more details on the issue and the particular "psmounterex.sys" kernel driver that is being blocked. It writes: "After installing Windows updates released on or after April 14, 2026, certain third-party backup applications that rely on the kernel driver psmounterex.sys might experience failures when attempting to mount or manage disk images. .... This intentional change of behavior is designed to protect devices against known vulnerabilities in the psmounterex.sys kernel driver. Following the installation of Windows updates released on or after April 14, 2026, Windows Code Integrity enforcement will block vulnerable versions of this driver from loading when the Microsoft vulnerable driver blocklist is enabled."

As such, affected users and IT admins might observe the following behavior:

• Backup applications that rely on the kernel driver psmounterex.sys might fail to mount backup image files as virtual drives.
• Attempting to browse or restore from a backup image might result in errors or timeouts.
• Failures might be followed by error messages, such as "The backup has failed because Microsoft VSS has timed out during the snapshot creation" or VSS_E_BAD_STATE.
• Event Viewer might show Code Integrity errors indicating that psmounterex.sys was blocked from loading.
• Backup creation (full image backups) may still succeed, but image-mount operations will fail.

If you suspect you are affected by this, Microsoft has added additional info on how to determine that. Users have to check for Event 3077 in the Code Integrity Operational event log. This will indicate that the driver was blocked in enforcement mode and will include Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816}.

As far as a solution is concerned, Microsoft says that the psmounterex.sys driver will remain on the blocklist until they are updated to a newer version that includes the required protections.

Interestingly, Macrium had seemingly already patched these vulnerabilities back in October 2023 in its software as is evident from its release notes. On versions 8.0.7690 and 8.1.7675 it wrote: "Security Update - CVE-2023-43896: This update applies a security patch to psmounterex.sys. We advise you to install this release to ensure the security of your system." Hence we wonder what could be going wrong here. Hopefully the issue is resolved soon.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 2 May 2026 at 5:25 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix