System administrators walked into a morning firestorm on April 14, 2026, when Windows security update KB5083769 began landing on machines and silently broke the ability to mount disk-image backups in Macrium Reflect and Acronis Cyber Protect. Microsoft confirmed the issue later that day: the update adds the psmounterex.sys driver to the Windows Kernel vulnerable driver blocklist, preventing it from loading and thereby killing the mount-as-drive feature those backup products rely on for restore validation and file-level recovery.

What makes this particularly dangerous is the stealth mode of the failure. The update installs without a mandatory reboot alert on many systems, and the only visible symptom comes when you attempt to mount an image — the operation fails with a generic error. For IT teams running fire-drill restore tests or an organization trying to pull a single file from last night’s snapshot, the discovery arrives at the worst possible moment.

This isn’t a bug in the classic sense. The blocklist mechanism is intentional: Windows tracks drivers that have known security flaws, expired certificates, or signing anomalies and refuses to load them to prevent kernel-mode malware attacks. psmounterex.sys, a kernel-level driver that presents a backup image as a local disk, evidently triggered one or more of those criteria in the updated blocklist shipped with the April 2026 Patch Tuesday rollout.

How the vulnerable driver blocklist nuked a critical workflow

Since Windows 10 version 1803, Microsoft has maintained a database of drivers that are denied loading by the operating system. The list is delivered through Windows Update and applies system-wide. When the kernel sees a driver hash or certificate on that list, the driver never initializes — regardless of its installed version or vendor trust. Security researchers and Microsoft’s own threat intelligence team add entries continuously, often after discovering that a signed driver is being weaponized in the wild.

In the past, these additions rarely stirred controversy because they targeted ancient drivers from defunct hardware vendors or tooling that had clear exploit paths. But psmounterex.sys sits inside the core restore engine of two of the most popular enterprise backup products for Windows. It allows Macrium Reflect and Acronis Cyber Protect to surface a full system-image backup or an incremental snapshot as a virtual drive letter, enabling users to browse files, run integrity checks, and restore individual folders without performing a bare-metal recovery.

When KB5083769 lands, the blocklist entry for psmounterex.sys prevents the driver from loading. Attempts to mount an image in Macrium Reflect return error code 0x80070102 or a more opaque “Failed to mount image” dialog. Acronis Cyber Protect surfaces a “Mount operation failed” message. In both cases, the log files point to the inability to start the psmounterex.sys service, though the service may still appear installed and registered.

Impact on Macrium Reflect users

Macrium Reflect relies on psmounterex.sys for both its CBT (Changed Block Tracking) incremental backups and its Rapid Delta Restore functionality. When the driver is blocked, the mount operation is severed entirely. Incidentally, the scheduled backup jobs continue to run because they use a different code path for volume snapshot creation, but any post-backup verification step that depends on mounting the image will fail similarly.

For disaster recovery planning, the most acute pain point is validation. Admins frequently schedule nightly mounts after a backup completes to confirm the image is healthy. Starting April 14, those validation scripts broke silently — no mounts, no logs indicating success, just a string of failures that could go unnoticed until a real emergency reveals corrupted or unmountable archives.

Macrium Software issued a support note within hours, acknowledging the issue and recommending that users either postpone the Windows Update or roll back KB5083769 using the Windows Update uninstaller. Their longer-term fix involves reissuing psmounterex.sys with a new cryptographic signature that won’t match the blocklist entry, though the process requires recertification through Microsoft’s Windows Hardware Compatibility Program and may take several weeks.

Acronis Cyber Protect: same driver, same crisis

Acronis Cyber Protect shares the psmounterex.sys driver — a legacy of earlier joint development with Macrium or licensing agreements — and thus experiences identical symptoms. The mounting feature fails, and the Acronis Management Console starts throwing event ID 7026 errors indicating a boot-start or system-start driver failure. The company’s knowledge base article now advises users not to install KB5083769 on production machines until a patched driver is available.

Acronis’ disaster-recovery-as-a-service platform, which counts hundreds of thousands of protected endpoints, has seen an uptick in support tickets, particularly from SMBs where IT generalists handle backups. The mounting issue also exposes a broader tension: security updates that leverage the blocklist to protect the ecosystem don’t yet have a built-in exception workflow for legitimate software that inadvertently trips the alarms. The burden falls on the ISV to recertify, while end users scramble for workarounds.

Microsoft’s response and the April 14 security release

On April 14, 2026, Microsoft released a bundle of security updates for all supported Windows versions. KB5083769 addresses elevation-of-privilege vulnerabilities in the Windows Kernel (CVE-2026-1181, CVE-2026-1182) and includes the latest driver blocklist refresh. In its security release notes, Microsoft stated: “Some third-party software may be affected by this update if it uses a driver that has been added to the Windows Kernel vulnerable driver blocklist. Affected software may lose functionality. Microsoft recommends contacting the software vendor for an updated driver.”

The statement is technically accurate but fails to convey the scale of the problem given that the blocked driver powers core backup operations. Enterprise customers who rely on Automatic Updates or Windows Update for Business had the update pushed to their endpoints overnight, leading to widespread Monday-morning support calls. Microsoft has not yet issued a Known Issue Rollback (KIR) to temporarily reverse the blocklist entry, and it’s unclear if the blocklist can be rolled back individually without removing the entire security update.

Several system administrators have requested that Microsoft provide a per-driver exclusion capability for the blocklist, similar to the controlled folder access exclusion list in Microsoft Defender. Currently, the only workaround is to uninstall the update entirely, which also removes the security fixes for the kernel vulnerabilities — an untenable choice in regulated environments.

Workarounds and interim measures

If you’re affected, the immediate actions fall into three buckets:

  • Uninstall KB5083769 – Navigate to Settings > Windows Update > Update History > Uninstall updates and select KB5083769. After removal, reboot. This restores the driver’s ability to load but reopens the kernel vulnerabilities.
  • Delay the update via Windows Update for Business – For organizations using WUfB, configure a deferral policy with a 30-day period to buy time for a vendor patch.
  • Use alternative restore methods – Macrium Reflect allows you to boot from a rescue media and perform a full restore without mounting within Windows. Acronis Cyber Protect’s bootable media also bypasses the mounted-driver requirement for bare-metal recovery, though file-level recoveries become cumbersome.

There is no supported way to surgically remove just the psmounterex.sys blocklist entry short of editing the Image File Execution Options or modifying the DriverFixlet database, both of which violate Microsoft’s servicing agreements and could break future updates.

What the backup ISVs are doing

Both Macrium and Acronis have committed to releasing updated drivers with SHA-256 code-signing certificates issued after the blocklist cutoff date. Typically, Microsoft permits such drivers to load even if a previous version’s hash is on the blocklist. The companies are also exploring a shift from kernel-level drivers to user-mode mounting using the Win32 API’s CreateFile and DeviceIoControl with a filesystem minifilter, which would eliminate the blocklist risk entirely, but that rewrite requires months of development and regression testing.

Macrium communicated that an emergency patch for Reflect Home and Reflect 8 should arrive by late April 2026, with managed service provider (MSP) editions following a week later. Acronis projected a mid-May release for Cyber Protect 15. Customers on older versions that are out of support — Reflect 7 and Cyber Protect 12 — will not receive patched drivers and will need to either upgrade or freeze their Windows Update state permanently.

The wider lesson: blocklist collateral damage

The psmounterex.sys fiasco underscores a growing tension in the Windows security model. The vulnerable driver blocklist is a powerful tool that has neutralized dozens of real-world attacks — BYOVD (Bring Your Own Vulnerable Driver) techniques declined 43% in 2025 after Microsoft began aggressively listing signed drivers with known flaws. But as the list grows to encompass drivers that have legitimate, widespread use, the collateral damage ticks upward.

Earlier this year, a similar scenario played out when a widely used VPN driver was blocked, breaking Always On VPN connections for thousands of users. Each time, the response cycle is the same: Microsoft says contact the vendor, the vendor says they’re working on it, and admins are left holding a bricked feature for weeks. The ecosystem needs a middle ground — perhaps a time-limited grace period where a newly listed driver can still load with a warning, or an opt-in mechanism that lets IT departments explicitly approve a driver after a risk assessment.

What to do right now

If you haven’t deployed KB5083769 yet, pause Windows Update immediately. If you have, and you depend on backup image mounting, weigh the risk of removing the update against the loss of restore capability. For many, the ability to quickly recover files outweighs the kernel vulnerabilities, especially if other mitigations like Virtualization-Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI) are in place — features that already block many of the exploit paths the kernel fixes address.

Document your backup validation procedures and test your bootable recovery media. Ensure that your offsite backups aren’t just being created but can be mounted and read on a clean test machine that hasn’t received the April update. And pressure your backup vendor for a timeline — not just for the driver reissue, but for a long-term architecture that decouples backup mounting from kernel-level dependencies.

Microsoft’s next Patch Tuesday falls on May 12, 2026. If the blocklist remains unchanged in that release, the problem will persist on all systems that eventually install the update. The clock is ticking for a coordinated fix.