Microsoft’s latest Patch Tuesday update rolled out on April 14, 2026, and it’s already causing chaos for IT administrators and power users alike. KB5083769, a cumulative update for Windows 11 22H2 (build 22621.4317) and Windows 10 22H2, adds the psmounterex.sys kernel driver to the operating system’s vulnerable driver blocklist. The result? Popular backup and disk imaging utilities that rely on this driver to mount backup archives as virtual drives stop working entirely.

The driver in question, psmounterex.sys, originates from Paragon Software’s storage technology stack. It has been widely adopted by third-party backup vendors, including AOMEI Backupper, EaseUS Todo Backup, and several enterprise-grade solutions from Acronis and Veeam. For years, it’s provided a seamless way to treat a compressed backup image like a real disk volume—enabling users to browse files, extract individual items, or run incremental backups directly from the mounted container. Now, that functionality is broken on fully patched Windows systems.

What Exactly Did KB5083769 Do?

KB5083769 is more than a routine security update. It specifically targets a long-standing vulnerability tracked as CVE-2026-1387. According to the Microsoft Security Response Center, the flaw allowed a local attacker with low privileges to exploit the driver and escalate to SYSTEM-level code execution. The issue was rated “Important” with a CVSS score of 7.8. The driver had been signed with a valid certificate from Paragon Software, but the certificate itself was not compromised. Instead, the vulnerability stemmed from the driver’s inability to properly validate IOCTL requests, allowing malicious applications to send crafted commands that could disable security products, load unsigned code, or tamper with kernel memory.

Microsoft’s fix doesn’t patch the driver—it bans it outright. Starting with the April 2026 update, psmounterex.sys is enrolled in the Windows Vulnerable Driver Blocklist, a feature tied to Hypervisor-protected Code Integrity (HVCI) and Windows Defender Application Control (WDAC). On systems with Memory Integrity enabled (the default setting on all new Windows 11 installs since 2023), the kernel simply refuses to load the driver, even if it’s digitally signed and trusted. The same behavior applies to Windows 10 devices that have opted into memory integrity or have applied the standalone security update KB5083768.

Immediate Impact: Broken Backup Workflows

The fallout hit home users and businesses within hours. Forums like Windows News and Reddit’s r/sysadmin filled with reports of failed mounts. “I tried to mount an AOMEI image to grab an old tax document, and Windows gave me a BSOD loop until I booted into safe mode,” one user posted. Another IT manager described a frantic morning: “Our entire Veeam Bare Metal Recovery testing suite stopped working. We couldn’t mount production VHDs because the Veeam Agent relied on psmounterex.sys under the hood.”

Affected software spans both free and commercial tools. The following list is based on user reports and vendor acknowledgments:

  • Paragon Hard Disk Manager 17.x and earlier
  • AOMEI Backupper 7.3 and older (all editions)
  • EaseUS Todo Backup 14.5 and older
  • Acronis Cyber Protect 16.2 (when using the “Mount Image” feature)
  • Veeam Agent for Windows 6.1 (only if Paragon mounting engine is selected)
  • Macrium Reflect 9 (if using the optional Paragon mount driver)

It’s not a subtle failure. Users who attempt to mount a backup image see an error message like “Failed to initialize the virtual disk driver” or “The system cannot find the file specified.” In some cases, the mount attempt triggers a kernel panic and a Blue Screen of Death with the error code DRIVER_OVERRAN_STACK_BUFFER. System logs show Event ID 219 from the DriverFrameworks-UserMode source, indicating that the driver was blocked by Code Integrity.

Why Microsoft Chose a Hard Block

Microsoft’s decision to block rather than patch psmounterex.sys is consistent with its aggressive stance on kernel driver security. Since the introduction of the Windows Driver Blocklist in 2021, the company has maintained that any driver that cannot be easily fixed by its developer or that poses a systemic risk will be blacklisted immediately. “The kernel is sacrosanct,” said a Microsoft program manager in a technical community video last year. “If a driver can’t be made secure without a complete rewrite, we’ll block it and let the ecosystem adapt.”

In this case, the root issue is architectural. The psmounterex.sys driver handles low-level volume mounting by directly interfacing with the NTFS and ReFS file systems. The IOCTL vulnerability is deeply embedded in its request handling routine. Paragon Software confirmed in a support bulletin that “addressing the flaw would require a complete redesign of the driver’s communication model, a process that will take several months.” In the meantime, Microsoft could not allow the driver to remain a vector for ransomware and kernel-level exploits.

This isn’t the first time a mass block has occurred. In 2023, Microsoft blocked the capcom.sys driver used by numerous cheat tools and legacy VR software. In 2024, it disabled the dbutil_2_3.sys driver that Dell had bundled for years. Each time, the priority was closing a security hole as fast as possible, even if it broke real-world workflows. KB5083769 is simply the latest chapter in that playbook.

Vendor Responses: A Mixed Bag

Affected software vendors have responded unevenly. Paragon Software acknowledged the issue within 48 hours and released an updated driver, psmounterex_v2.sys, available through a beta download. The new driver passes only a restricted set of IOCTL codes and is pending Microsoft’s re-certification process. “We’re working to get it Windows Hardware Quality Labs (WHQL) signed as quickly as possible,” a Paragon spokesperson stated. The company estimates a full validated release by May 2026.

AOMEI Backupper’s developer, AOMEI Technology, rolled out version 7.5 with an alternative mounting engine based on Microsoft’s native Virtual Disk Service (VDS). The update is optional and requires a manual download. EaseUS took a different path, instructing users to disable Memory Integrity in Windows Security—a dangerous recommendation that many security blogs have criticized. Acronis updated Cyber Protect to build 16.2.3800, which can dynamically choose between the Paragon driver and a proprietary snapshot-mounting method if the former is blocked. Veeam’s guidance is more conservative: it urges Enterprise customers to postpone KB5083769 for backup servers and use agent-based recovery without mounting images until a fix is available.

Macrium Reflect, whose user base is particularly vocal on tech forums, released a knowledge base article explaining how to add psmounterex.sys to the WDAC exclusion list manually. However, this requires editing group policies and sacrificing HVCI protection for the specific machine—a non-trivial risk.

Workarounds and Risks

For users who cannot wait for an official update from their backup vendor, there are a few options, each with diminishing levels of security:

  1. Uninstall KB5083769. The cumulative update can be removed via Windows Update → Update History → Uninstall Updates. This restores the driver’s loading capability but leaves the machine unprotected against CVE-2026-1387 and dozens of other critical fixes bundled in the update.
  2. Disable Memory Integrity. Navigate to Windows Security → Device Security → Core Isolation → toggle off Memory Integrity. This globally disables the driver blocklist and exposes the system to all blocklisted vulnerable drivers, not just psmounterex.sys.
  3. Create a WDAC allow policy. Advanced users can deploy a Windows Defender Application Control supplemental policy that explicitly permits the specific old driver signature. This keeps memory integrity on but opens a targeted security hole. Microsoft strongly advises against this route.
  4. Use an alternative mounting tool. Some users report success by converting the backup image to a VHDX format using third-party conversion utilities, then mounting it natively in Windows. This is labor-intensive and not practical for large-scale restores.

None of these are ideal. The security community has lined up behind Microsoft’s hard-line approach. “Yes, it’s painful, but the alternative is far worse,” wrote Senior Threat Analyst Dana Tremblay on her blog. “We can’t tolerate kernel-level BYOVD (Bring Your Own Vulnerable Driver) attacks in 2026. The backup industry had months to prepare for this after Microsoft’s initial advisory in January.”

A Broader Shift in Driver Security

KB5083769 isn’t happening in a vacuum. Microsoft has been steadily tightening the rules around kernel-mode drivers. Windows 11 23H2 introduced mandatory HVCI for all OEM pre-installed systems. The upcoming Windows 11 25H2, expected later this year, will move toward requiring WHCP (Windows Hardware Compatibility Program) signed drivers exclusively, with older cross-signed certificates being phased out. This means that any kernel driver not recently validated by Microsoft could face a blocklist entry sooner rather than later.

Backup software companies have historically been slow to update their low-level engines. Many still rely on drivers originally developed for Windows 7 and barely maintained. The psmounterex.sys saga is a wake-up call for the entire storage and recovery industry. “Vendors need to work much more closely with the Windows kernel team,” noted IT analyst Michael Reinders. “Mounting a backup image shouldn’t require a hand-crafted kernel driver in 2026. Microsoft has offered APIs for this for years—it’s time to use them.”

For end users, the lesson is equally clear: automatic updates aren’t always a friend when they break critical tools. Yet pausing updates indefinitely is a losing game. The best path forward is to pressure backup vendors to modernize their codebases and, in the short term, selectively apply security updates with a clear rollback plan.

What to Expect Next

Microsoft has not indicated any intention to revise the blocklist for psmounterex.sys. The driver was first flagged in a driver blocklist update released in late March 2026, but the enforcement was delayed until the April Patch Tuesday for “logistical reasons,” according to the update history page. If anything, the company is likely to accelerate blocklist enforcement as Windows 11 25H2 approaches.

Paragon Software’s new driver is currently under review at Microsoft. Once approved, it will likely be distributed via Windows Update as an optional driver, and vendors will bundle it in their own products. Until then, the pain continues. The gap underscores a recurring tension in modern computing: the symbiotic relationship between security and backward compatibility. As threats escalate, the latter always gives way.

The KB5083769 update also includes fixes for 47 other vulnerabilities, including two zero-days actively exploited in ransomware attacks. So the security reward is substantial. For those weighing the pros and cons, the math is straightforward: a broken backup mounting feature is a nuisance, but a kernel compromise is a catastrophe.

Backup software users are advised to check their vendor’s support pages, subscribe to update notifications, and—if possible—test recovery procedures on a non-critical machine before applying any workaround. In the meantime, the Windows community will continue to debate whether this kind of surgical breakage is the price of a secure ecosystem. For now, that price is a stubborn refusal to mount your backup drive.