KB5083769 — the April 2026 Windows driver-blocking update

Microsoft released KB5083769on April 14, 2026, as part of the monthly Windows Security Update for Windows 11 24H2 and 25H2. It extended Microsoft's Vulnerable Driver Blocklist to cover additional kernel drivers. Two distinct categories of software were affected — and they require different remediation paths.

Two distinct failure categories

Most search traffic for KB5083769 comes from two groups. Identifying which applies to your situation determines what to do next.

Category 1 — Backup software stopped working

KB5083769 blocked psmounterex.sys, a kernel driver used by several widely-deployed backup products to mount disk images at the block level. Affected products include Macrium Reflect, Acronis Cyber Protect, NinjaOne Backup, and UrBackup Server. These products' backup jobs began failing or their agents lost the ability to complete volume-level snapshots.

Remediation for this category:The fix comes from the software vendor — each affected vendor has published or is publishing an updated version with a re-signed driver. Check the vendor's support site for a patch. WinUSBridge does not apply to psmounterex.sys or backup software drivers; the WinUSB-rebind pattern is specific to USB device drivers.

Category 2 — A USB device driver stopped loading

A smaller but real set of engineers encountered blocklisted drivers for USB peripherals: lab instruments, measurement hardware, programmers, legacy dongles, and custom devices using Cypress EZ-USB, FTDI, Silicon Labs, or similar chipsets. For these devices, if the vendor's kernel driver was added to the blocklist and the vendor is not actively maintaining the driver, the WinUSB-rebind path is a viable engineering remediation.

Remediation for this category: Use the decision tree to determine whether the rebind path fits your specific device. The check takes about two minutes and produces a clear yes/no.

What the update actually did

KB5083769 delivered an updated Vulnerable Driver Blocklist via the Windows Security Update mechanism. When the update installs, the policy initially enters audit mode: affected drivers still load, but Windows logs Event ID 3076 under Applications and Services Logs → Microsoft → Windows → CodeIntegrity → Operational.

Audit mode transitions automatically to enforcement mode after approximately 100 hours of active system uptime plus 3 reboots (2 reboots on Windows Server). After that transition, the same drivers are blocked from loading and Windows logs Event ID 3077. The affected device or software stops functioning.

For systems that received KB5083769 in April 2026, most have already passed the audit-to-enforcement threshold. If you are seeing device failures now, you are in enforcement mode.

How to check which driver is blocked

Open Event Viewer and navigate to:

Applications and Services Logs → Microsoft → Windows → CodeIntegrity → Operational

Filter for Event ID 3077 (blocked) or 3076 (audit). Each event record includes the full file path of the blocked driver under the File Name field in the event details. If the path ends in .sys and the filename belongs to a USB device (not a backup or storage driver), proceed to the decision tree.

For a deeper explanation of what these event IDs mean and how to read the event data, see the Event ID 3076 / 3077 reference page.

The WinUSB-rebind path for USB device drivers

If the blocked driver controls a USB device and the vendor is not issuing a re-signed update, the WinUSB-rebind pattern allows continued operation without modifying Windows security policy. The approach:

Rebind the device to Microsoft's in-box winusb.sys via a new INF file.
Reimplement the vendor's device initialisation in user mode using the WinUSB API.
Persist the binding through reboots and Windows Update cycles with a scheduled task.

No kernel signing, no WDAC policy edits, no Secure Boot interaction. The pattern page explains the approach in detail. The decision tree checks whether it applies to your device.

What WinUSBridge does not cover

Backup software driver failures (psmounterex.sys, Macrium, Acronis, NinjaOne, UrBackup) — these require vendor patches, not a USB rebind.
Filesystem, storage, or network drivers — the WinUSB-rebind pattern applies only to USB device drivers.
Isochronous USB devices(real-time audio, video streaming) — WinUSB's isochronous support is limited.
Devices requiring HID-class or kernel-mode IOCTLs — the decision tree routes these out explicitly.

Sources

April 2026 Windows security updates introduce protections to known vulnerable kernel drivers — Microsoft Support — official KB5083769 support article, affected driver list
The Windows Driver Policy — Microsoft Support — audit/enforcement mechanic, 100-hour transition, Event IDs
Microsoft recommended driver block rules — Microsoft Learn — full Vulnerable Driver Blocklist
WinUSB Installation — Microsoft Learn — INF generation for winusb.sys binding