Macrium Reflect Hit by Windows 11 Security Block After KB5083769 and KB5083631

Microsoft has added a driver used by Macrium Reflect to its vulnerable driver blocklist, leading to backup-related issues on some Windows 11 systems, as reported by Neowin. The change appeared after recent updates, including KB5083769 from April Patch Tuesday and the newer KB5083631 preview update.

The issue stems from Microsoft blocking the psmounterex.sys driver, which Macrium Reflect relies on to mount backup images as virtual drives. Once blocked, users can no longer browse or access those images directly.

Security measure causes compatibility problems

The vulnerable driver blocklist in Windows 11 exists to prevent malicious or outdated kernel drivers from being exploited. Microsoft uses it to block drivers that could enable privilege escalation or arbitrary code execution.

In this case, the blocked driver links to CVE-2023-43896, a vulnerability that allowed out-of-bounds memory writes. Attackers could use this flaw to gain elevated privileges and potentially execute code at the kernel level.

Microsoft’s decision to block the driver aligns with its ongoing effort to strengthen system security. However, the move has created unintended side effects for users relying on Macrium Reflect for backups.

What users are experiencing

After installing the affected updates, users report several issues when working with backup images:

• Inability to mount or browse backup files as virtual drives
• Restore operations failing or timing out
• Errors such as “VSS has timed out during snapshot creation”
• VSS_E_BAD_STATE messages appearing during backup tasks

Event Viewer logs also show Code Integrity blocks, often with Event ID 3077. Users can verify the issue by checking the Code Integrity Operational log and looking for Policy ID {D2BDA982-CCF6-4344-AC5B-0B44427B6816}.

Despite these problems, full backup creation generally continues to work as expected.

Why the driver is still blocked

Microsoft considers the block intentional and part of its security hardening strategy. The company keeps the driver on the blocklist until it meets updated security requirements.

This situation becomes more complex because Macrium reportedly patched the vulnerability back in October 2023. However, older versions of the software, particularly version 8.1, still rely on the affected driver. Newer releases, such as version 10, avoid using it.

For now, Microsoft has not provided an official fix or exception.

Workaround exists, but comes with risks

Some users have found a temporary workaround by disabling the vulnerable driver blocklist through the registry:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\CI\Config" /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0 /f

This requires administrator privileges and a system restart. While it restores functionality, it lowers system security and exposes the system to potential kernel-level threats. It should only be used as a short-term measure.

This case highlights a familiar trade-off in modern Windows updates. Microsoft continues to prioritize security by blocking risky drivers, even when it disrupts legitimate workflows.

The long-term solution will likely depend on updated drivers or changes to the blocklist. Until then, users affected by the issue may need to upgrade their backup software or adjust workflows.

In parallel, Microsoft has also released a new set of Windows 11 Dynamic Updates, continuing its broader effort to improve system stability and deployment reliability.