Microsoft confirms April Windows updates cause backup failures

Source: Bleeping Computer

Microsoft has confirmed that the April 2026 security updates are causing failures in third‑party backup applications that use the psmounterex.sys driver. The issue affects software that relies on VSS (Volume Shadow Copy Service) snapshots and results in a VSS service timeout.

Impacted Software

The problem has been observed with, but is not limited to, the following products:

• Macrium Reflect – see discussion on Reddit.
• Acronis Cyber Protect Cloud – see Acronis knowledge base article.
• UrBackup Server – see forum thread.
• NinjaOne Backup – see Reddit discussion.

These applications run on Windows 11, Windows 10, and Windows Server devices.

Microsoft’s Response

Microsoft has updated its support documentation to confirm that the April updates include a security‑hardening change that adds psmounterex.sys to the company’s vulnerable driver blocklist. This blocklist protects users from a high‑severity buffer‑overflow vulnerability (CVE‑2023‑43896) that could allow privilege escalation or arbitrary code execution.

“In the April 2026 Windows security update, we added the known vulnerable kernel driver psmounterex.sys to the Vulnerable Driver Blocklist. Backup applications that rely on this driver may experience failures when attempting to mount or manage disk images,” Microsoft told BleepingComputer.

Microsoft advises affected customers to:

1. Update to the latest version of the backup application that uses newer drivers with the required protections.
2. Do not uninstall or pause the April update.

Symptoms on Impacted Systems

When the vulnerable driver is blocked by Windows Code Integrity enforcement, you may observe:

• Backup applications that rely on psmounterex.sys fail to mount backup image files as virtual drives.
• Attempting to browse or restore from a backup image results in errors or timeouts.
• Error messages such as “The backup has failed because Microsoft VSS has timed out during the snapshot creation” or VSS_E_BAD_STATE.
• Event Viewer entries indicating Code Integrity errors for psmounterex.sys.
• Full image backups may still succeed, but image‑mount operations will fail.

Detecting the Blocklist Action

To verify whether the Vulnerable Driver Blocklist has blocked the driver:

1. Open Event Viewer (right‑click Start → Event Viewer).
2. Navigate to Applications and Services Logs → Microsoft → Windows → CodeIntegrity → Operational.
3. Look for Event ID 3077 with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816}.

‘Event 3077’ entry in Event Viewer (Microsoft)

Related Windows Server Issues

Earlier in April, Microsoft warned that some Windows Server 2025 devices might boot into BitLocker recovery mode after installing the KB5082063 update. The company also released out‑of‑band (OOB) updates to address:

• Update installation failures on Windows Server systems.
• Restart loops affecting certain domain controllers.

These updates aim to resolve the broader stability problems introduced by the April 2026 security patches.