April 2026 Security Updates: Microsoft Blocks Vulnerable Drivers and Causes Backup Failures

Microsoft confirms: April 2026 security updates cause malfunctions in backup applications

Microsoft has confirmed that the April 2026 security updates are causing failures in third-party backup applications that use the psmounterex.sys driver. This issue, first reported by BleepinComputer last week, affects software that uses Volume Shadow Copy Service (VSS) snapshots and causes failures due to a VSS service timeout.

Among the affected software are products from Macrium (Reflect), Acronis (Cyber Protect Cloud), UrBackup Server, and NinjaOne Backup, operating on Windows 11, Windows Server, and Windows 10 devices.

Technical details and causes of the problem

Microsoft has updated its support documents to confirm that the April updates include a security change that adds psmounterex.sys to the company's list of blocked vulnerable drivers. This change aims to protect users from attacks exploiting a high-severity buffer overflow vulnerability (CVE-2023-43896), which allows attackers to escalate privileges or run arbitrary code.

Microsoft has advised affected users to update to the latest versions of their applications, which use newer drivers and include the necessary protections.

Behaviors observed on affected systems

On affected systems, where the vulnerable driver is blocked by the Windows Code Integrity application, IT administrators and users may observe the following behaviors:

• Backup applications that depend on the kernel driver psmounterex.sys may fail to mount backup image files as virtual disks.
• Attempts to explore or restore from a backup image may result in errors or timeouts.
• Failures may be followed by error messages, such as "Backup failed because Microsoft VSS timed out during snapshot creation" or VSSEBAD_STATE.
• The Event Viewer may display Code Integrity errors indicating that psmounterex.sys was blocked from loading.
• Creating backups (full image backups) may still succeed, but image mounting operations will fail.

Microsoft's recommendations

"In the April 2026 Windows security update, we added the known vulnerable kernel driver psmounterex.sys to the Vulnerable Driver Blocklist. Backup applications that depend on this driver may experience failures when attempting to mount or manage disk images," Microsoft told BleepinComputer.

"We do not recommend uninstalling or pausing this update. Customers with an affected driver should install the latest versions of the applications and validate them against the driver blocklist to remain protected."

How to verify driver blocking

To verify if Microsoft's Vulnerable Driver Blocklist blocks a driver, interested customers can look for Event ID 3077 with Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816} in the Code Integrity operational log.

To do this, right-click on Start, select Event Viewer, go to 'Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational' in the left pane, and look for Event ID 3077 in the central pane.

Other reported issues

Earlier this month, Microsoft warned that some Windows Server 2025 devices may also boot into BitLocker recovery mode, requiring users to enter the BitLocker key after installing the KB5082063 update.

Microsoft has also released out-of-band (OOB) updates to address issues affecting Windows Server systems, which have caused failures in installing updates and reboot loops after installing the April 2026 security updates.

Recommendations for backup administrators

For those managing backups, the upcoming webinar "From phishing to fallout: why MSPs must rethink both security and recovery" examines how both attacks and system failures can impact recovery and what organizations can do to improve resilience.

User comments

A user reported not experiencing issues with Terabyte Unlimited's Image for Windows, specifying they are not affiliated with them.