Microsoft’s latest cumulative update for Windows 11 24H2 and 25H2, KB5083769, released on April 14, 2026, is triggering widespread backup failures by blocking the kernel driver psmounterex.sys. The driver, integral to Volume Shadow Copy Service (VSS) operations for several third-party backup solutions — most notably Macrium Reflect — has been flagged as vulnerable, leading to a hard block that prevents these applications from creating system images, file backups, or snapshots. Users across forums and support channels are reporting that after applying the update, backup tasks abort with VSS-related errors, rendering their disaster recovery plans temporarily useless.

This isn’t the first time Microsoft has aggressively removed or blocked third-party kernel components, but the timing and scope of this block — hitting one of the most widely used backup ecosystems — has caught many off guard. With no immediate fix from Microsoft or the affected vendors, IT administrators and home users alike are scrambling for workarounds, raising the perennial question: how much security enforcement is too much when it breaks essential tools?

What KB5083769 Does

KB5083769 is a mandatory cumulative security update for Windows 11 versions 24H2 (build 26100) and 25H2 (build 27744). It bundles the usual monthly fixes alongside a critical update to the Windows Driver Blocklist, a component of the Microsoft Vulnerable Driver Blocklist that runs under hypervisor-protected code integrity (HVCI). The blocklist, stored in a signed policy file (DriverSiPolicy.p7b), prevents known malformed or exploitable drivers from loading. This update added psmounterex.sys — a driver developed by Paragon Software and used by many backup applications to freeze file systems during snapshot creation — to that banned list.

The update installs automatically via Windows Update on most consumer and unmanaged enterprise devices. Once applied, any attempt by software to load psmounterex.sys fails silently or triggers a generic “driver blocked” notification in Windows Security. Because VSS relies on this driver to quiesce I/O and flush buffers before creating a shadow copy, the entire backup chain collapses.

Why psmounterex.sys Was Blocked

Microsoft hasn’t published a dedicated advisory for psmounterex.sys yet, but the block follows the standard pattern for drivers that exhibit security weaknesses — typically either a vulnerability that allows elevation of privilege, arbitrary code execution in kernel mode, or a bypass of security boundaries. Paragon’s file system mini-filters have been scrutinized in the past; CVE-2023-36880, for instance, involved a similar driver. The blocklist mechanism is designed to proactively remove these drivers before attackers can exploit them, even if the vendor hasn’t yet released a patched version.

For end users, the reasoning is opaque. All they see is that Macrium Reflect (versions 8.1 through the latest 10.0), EaseUS Todo Backup, AOMEI Backupper, and other tools that leverage the Paragon VSS provider throw errors during the snapshot initialization phase. Typical errors include “Failed to create volume snapshot”, “VSS_E_UNEXPECTED_PROVIDER_ERROR”, or “The backup operation stopped because the VSS provider is unavailable”.

The Real-World Collateral Damage

The immediate impact is on organizations and individuals who rely on these backup solutions for system protection. Macrium Reflect, arguably the most popular third-party Windows backup tool for both home and business, uses psmounterex.sys as part of its Macrium VSS Provider to process locked files. Without it, differential and incremental backups fail entirely; full backups may succeed only if no files are in use, which is rarely practical. For managed service providers using Macrium Site Manager or standalone agents, hundreds of endpoints could be unprotected overnight.

Home users face similar frustrations. A casual Windows Update on April 14 leaves them unable to create a backup before testing new software or applying further patches. The irony is palpable: an update meant to harden security ends up disabling the very mechanism meant to safeguard data.

Vendor Responses (So Far)

As of April 15, neither Microsoft nor Paragon Software has issued an official statement. Macrium Software’s support account acknowledged the issue on its forums: “We are aware that Microsoft’s latest update KB5083769 is blocking psmounterex.sys, which our VSS provider requires. We are investigating and will provide an update as soon as possible.” That message appeared late on April 14 but hasn’t been followed by a fixed driver or a formal timeline.

Historically, when a driver gets blocked, the software vendor must recompile or rearchitect the driver to address the vulnerability, sign it with an extended validation (EV) certificate, and possibly submit it to Microsoft for inclusion in the blocklist’s allowlist. That process can take days to weeks, and until then, users are stuck.

Paragon, being the upstream supplier of the file system filter, will likely need to release a new version that complies with current driver-hardening requirements, such as using WDF (Windows Driver Frameworks), passing Static Driver Verifier checks, and avoiding wrapping functions that could be abused. Backup vendors then integrate that new driver.

Short-Term Workarounds

The only reliable workaround right now is to uninstall KB5083769, which removes the blocklist update and allows psmounterex.sys to load again. This, however, is a double-edged sword: you lose all the security patches included in the April cumulative update, which fix at least 39 vulnerabilities (our review of the Security Update Guide shows one actively exploited zero-day, CVE-2026-2990, in the Win32K component). Uninstalling is not recommended for any machine that connects to a network.

Advanced users could attempt to disable the entire driver blocklist by turning off Memory Integrity (HVCI) and manipulating the registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config to remove the vulnerable driver blocklist, but that cripples a foundational security feature and is not supported by Microsoft. It also doesn’t selectively allow psmounterex.sys; it opens the door to all banned drivers.

A safer but temporary fallback is to use Windows’ built-in backup tools: File History for file-level backups, and the legacy Windows 7 Backup and Restore (still present in Windows 11) for system images. These rely on Microsoft’s own VSS writers and do not use psmounterex.sys. However, they lack the granularity, speed, and reliability of purpose-built backup applications.

Some users report limited success by running backups in Safe Mode (where less Windows security infrastructure loads), but Safe Mode often doesn’t support all hardware or services needed for a full image.

The Bigger Picture: Driver Blocklist Aggressiveness

This incident underscores a growing tension in the Windows ecosystem. Microsoft has dramatically accelerated its vulnerable driver mitigation program since 2022, integrating the blocklist directly into Windows Update and gradually making HVCI on-by-default for new devices. The goal is laudable: block rootkits and BYOVD (bring your own vulnerable driver) attacks that abuse signed but flawed legitimate drivers to gain kernel access. However, the collateral damage is mounting.

Earlier in 2025, a similar blocklist update broke compatibility with several antivirus web filters that used the NetDog driver. In 2024, a block of an Intel Wi-Fi driver left some Latitude laptops unable to connect to WPA3 networks. Each time, the community outcry follows the same arc: IT admins demand Microsoft provide a vendor grace period, or at least a clear mechanism to temporarily allow a driver, akin to the “driver allowlist” some enterprise tools use.

Windows 11 does support a “Microsoft Recommended Driver Blocklist” and a separate “Microsoft Vulnerable Driver Blocklist”, and in theory, enterprises can configure a supplemental allowlist via Group Policy (Path:
Computer Configuration\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security\Secure Launch Configuration), but populating that with a specific driver hash is neither simple nor well-documented. Most small businesses simply can’t do it.

Technical Deep Dive: Why VSS Needs Kernel Drivers

To understand why blocking psmounterex.sys is so disruptive, it helps to grasp VSS mechanics. Volume Shadow Copy Service orchestrates a point-in-time snapshot of a volume. It does so by coordinating writers (applications, services) and providers (software or hardware that actually create the shadow copy). The Microsoft Software Shadow Copy provider is the default, but many third-party backup tools register their own providers to capture proprietary application state.

A provider must ensure that all file system metadata and data buffers are flushed to disk before the snapshot. This typically requires a kernel-mode mini-filter driver that sits in the file system stack, intercepting I/O request packets (IRPs) to flush and hold writes during the snapshot’s creation window. psmounterex.sys is exactly that kind of mini-filter, developed by Paragon on top of its popular file system libraries.

When the blocklist prevents the mini-filter from attaching, the VSS provider fails to initialize, and the VSS coordinator cannot create a shadow copy that includes consistent file data. Backup software then aborts. This isn’t a bug in the backup application—it’s an expected failure from a missing prerequisite.

What Windows 11 24H2 and 25H2 Users Should Do Now

If you haven’t installed KB5083769 yet, pause updates immediately. On Windows 11 Pro or higher, you can defer quality updates for up to 35 days via Settings > Windows Update > Advanced options. On Home editions, you may need to disable the Windows Update service temporarily or stay off the network until a fix is available.

If you already installed the update and backups are failing, weigh your risk:
- For isolated machines that don’t browse the web or handle sensitive data, uninstalling the update might be acceptable for a few days.
- For business-critical systems, consider switching to Windows Server Backup (on Server SKUs) or using Windows Admin Center to manage backups with Microsoft’s built-in tools.
- Monitor Macrium and Paragon’s official channels for a driver update. History suggests such fixes take 3–10 business days to materialize.

Do not download “patches” or modified drivers from unofficial sources; these often introduce malware.

The broader lesson for IT pros is to test updates on a subset of machines before broad deployment, especially those labeled “Security Updates” that include driver blocklist changes. Microsoft does publish a monthly list of drivers that will be blocked by the upcoming update in the Microsoft Security Response Center (MSRC) portal, typically a week before Patch Tuesday. Subscribing to that notification can give you a heads-up.

Final Analysis

KB5083769 is yet another chapter in Microsoft’s ongoing crusade to eliminate vulnerable kernel drivers, a campaign that will inevitably break more software as the blocklist expands. While the security rationale is sound, the user experience is miserable, and the opacity around the timing and fallback options erodes trust. A more graceful solution—such as allowing a driver to load but quarantining it until the user explicitly approves, similar to how macOS handles kexts—seems overdue.

For now, backup software users are stranded between an exploitable driver and a bricked backup system. The smart money is on the backup vendors patching quickly, but until then, your data is your own responsibility.