KB5083769 Breaks Macrium and Acronis: psmounterex.sys

April 2026 update blocks psmounterex.sys driver. Macrium and Acronis cannot mount images. Update vendor agent or test restores manually.

Windows 11 KB5083769 (and the parallel KB5083631) added psmounterex.sys to the Microsoft vulnerable driver blocklist. Backup tools that ship that driver, including Macrium Reflect, Acronis Cyber Protect, NinjaOne Backup, and UrBackup, can no longer mount or browse image files. Jobs still complete, but restores break.

Quick Fix

Update the backup vendor agent to the latest signed build that ships a non-vulnerable driver, then reboot. Confirm the new driver loads:

Get-WinEvent -LogName "Microsoft-Windows-CodeIntegrity/Operational" -MaxEvents 100 |
  Where-Object { $_.Message -match 'psmounterex' } |
  Select-Object TimeCreated, Id, Message

After the update, you should see no new Event ID 3077 entries for psmounterex.sys. Then run a real test restore to verify image mounting works.

What This Does

Microsoft is enforcing Code Integrity against a known-bad version of the driver. The vendor patch ships a rebuilt driver with the required hardening, which loads cleanly under the blocklist. Updating the agent is the supported path. Microsoft is not rolling the change back.

If That Did Not Work

Find every copy of the driver and check signatures:

Get-ChildItem -Path C:\ -Recurse -Filter psmounterex.sys -ErrorAction SilentlyContinue |
  ForEach-Object {
    [pscustomobject]@{
      Path    = $_.FullName
      Version = (Get-Item $_.FullName).VersionInfo.FileVersion
      Sig     = (Get-AuthenticodeSignature $_.FullName).Status
    }
  }

If an old driver is still on disk, the vendor uninstaller missed it. Remove the agent fully, reboot, and reinstall the latest build.

Do not disable the Microsoft vulnerable driver blocklist as a workaround. It is the same control that blocks BYOVD ransomware drivers. If you must mount an image to recover a single file, do it on an isolated and segmented machine, pull the file, and rebuild the host.

What Causes This

The April 2026 cumulative update added psmounterex.sys to the kernel driver blocklist because of CVE-2023-43896, a high-severity buffer overflow that lets a local attacker escalate to SYSTEM. Code Integrity now refuses to load any vulnerable build of the driver, which is the mount layer most third-party backup tools rely on for browsing images as virtual drives.

Need a backup audit and restore test? Rain City Techworks handles managed IT and disaster recovery for businesses in the Seattle and Tacoma area.