Microsoft confirms that April Windows updates cause backup failures

Microsoft has confirmed that the April 2026 security updates cause failures in third-party support systems using the psmounterex.sys driver.

As BleepinComputer reported last week, this issue affects software that uses VSS (Volume Shadow Copy Service) snapshots and causes failures due to VSS service timeouts.

Affected software includes, but is not limited to, products from Macrium (Reflect), Acronis (Cyber ​​​​Protect Cloud), UrBackup Server, and NinjaOne Backup running on Windows 11, Windows Server, and Windows 10 devices.

Microsoft has now updated its support documentation to confirm that the April updates include a security-enhancing change that adds psmounterex.sys to the company’s list of vulnerable drivers to protect users from attacks targeting a buffer overflow vulnerability (CVE-2023-43896) that allows attackers to escalate privileges or perform code arbitrage.

Microsoft also advises those affected by the problem to update to a new version of their operating system that uses the latest drivers, which include the necessary protection.

On affected systems, when the vulnerable drive is blocked using Windows Code Integrity, IT administrators and users may see the following behavior:

• Backup applications that rely on the psmounterex.sys kernel driver may fail to mount backup image files as virtual drives.
• Attempting to browse or restore from a backup image may result in errors or timeouts.
• Failures may be followed by error messages, such as “Backup failed because Microsoft VSS timed out during snapshot creation” or VSS_E_BAD_STATE.
• Event Viewer may display Code Integrity errors indicating that psmounterex.sys has been prevented from loading.
• Backup creation (full image backups) may still succeed, but image installation operations will fail.

“In the April 2026 Windows security update, we added the known vulnerable kernel driver psmounterex.sys to the Vulnerable Driver Blocklist. Backup applications that rely on this driver may fail when trying to mount or manage disk images,” Microsoft told BleepingComputer.

“We do not recommend uninstalling or disabling this update. Customers with the affected driver should install the latest versions of the applications and verify the driver’s block list to remain protected.”

To check if the Microsoft Vulnerable Driver Blocklist is blocking the driver, affected customers can check for ‘Event ID 3077’ with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816} in the Code Execution log, indicating that the psmounterex driver is blocked.

To do that, right-click Start, select Event Viewer, go to ‘Applications and Services LogsMicrosoftWindowsCodeIntegrityOperational’ in the left pane, and look for Event ID 3077 in the middle pane.

Earlier this month, Microsoft warned that some Windows Server 2025 devices may boot and enter BitLocker recovery mode, prompting users to enter the BitLocker key after installing the KB5082063 update.

Microsoft also released out-of-band (OOB) updates to fix issues affecting Windows Server systems that caused update installation failures and restart loops after installing the April 2026 security updates.