Skip the optional preview: KB5083631 isn't worth your Tuesday morning

KB5083631 lands in Settings this week with a “Download and install” button next to it. Skip it. May 12 ships the same 34 fixes bundled with the month’s security patches, in a release Microsoft has had three more weeks to test, and your fleet gets there either way.

The preview doesn’t introduce the headline operational pain that’s circulating right now — the Macrium and Acronis mount failures from the psmounterex.sys blocklist enforcement landed on April 14 with KB5083769, not on April 30 with this one. But KB5083631 carries that hardening forward, doesn’t add a single CVE patch of its own, and gates its three flashiest features behind Controlled Feature Rollout you can’t trigger from the client. It is a validation build wearing a release’s clothes.

Default call: skip it. Wait for Patch Tuesday. The rest of this post is why, and the narrow set of cases where the math flips.

What’s actually in the package

KB5083631 is the April 30, 2026 optional non-security preview cumulative for Windows 11 24H2 and 25H2, advancing those builds to 26100.8328 and 26200.8328. Bleeping Computer counted 34 changes and fixes. None of them are security patches. Microsoft’s servicing model is explicit on this point: optional previews are a validation window for next month’s cumulative, not a parallel security track.

The fixes that will actually move a needle for someone:

• Delivery Optimization memory leak. The peer-to-peer update service had been quietly accumulating RAM until it showed up on endpoint monitoring.
• Slow startup-app launch under Settings → Apps → Startup.
• FAT32 format ceiling raised to 2 TB at the command line. The GUI formatter is unchanged. The 32 GB cap that has existed since Windows 98 is finally lifted, but only where imaging and provisioning scripts live.
• File Explorer polish: the dark-mode white flash, orphaned explorer.exe processes lingering after windows close, better persistence of View and Sort preferences, and support for .uu, .cpio, .xar, and .nupkg archives.

Three headline features (Xbox mode, AI agent Taskbar APIs, a haptic feedback engine for supported pens and select mice) are gated behind Controlled Feature Rollout. Installing the preview to “get” Xbox mode is not a thing you can engineer for. CFR enablement runs on its own staging schedule and the client can’t force it.

So the preview’s real selling point is four reliability fixes and a command-line FAT32 change. Useful. Not urgent.

The driver blocklist is the inherited story

The most operationally significant thing carried in KB5083631 isn’t new and isn’t a regression. It’s a security hardening that arrived three weeks earlier with the April 14, 2026 Patch Tuesday update (KB5083769): psmounterex.sys was added to the Microsoft Vulnerable Driver Blocklist. The driver ships with Macrium Reflect 8.1.7544 and earlier, and it has a high-severity out-of-bounds write tracked as CVE-2023-43896 that allows local privilege escalation to SYSTEM. The CVE is two and a half years old. Microsoft has confirmed the blocklist update is the consequence.

If your backup mount feature broke this month, it broke at April Patch Tuesday, not at the preview. KB5083631 carries the enforcement forward; it doesn’t introduce it. That distinction matters for the skip decision: holding off on the preview does not get you the driver back.

Confirmed affected products:

• Macrium Reflect 8.x
• Acronis Cyber Protect Cloud
• NinjaOne Backup
• UrBackup Server

All of them lose the ability to mount backup images as virtual drives once the blocklist enforcement is in effect. Symptoms include VSS timeouts and VSS_E_BAD_STATE errors. Macrium Reflect X (v10) does not use the affected driver and is unaffected. Veeam Backup & Replication has been mentioned in adjacent reporting, but no source has confirmed its shipping psmounterex.sys version is the affected one. Treat Veeam as unconfirmed until your vendor says otherwise.

There is a registry workaround (HKLM\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable = 0) but it disables the entire blocklist for the whole machine. Trading a fleet-wide kernel security control to keep one backup vendor’s mount feature working is not a workaround. It’s a downgrade with extra steps.

Macrium has said a patched build is “in development.” No public release date as of early May 2026. Acronis, NinjaOne, and UrBackup have not published timelines.

BitLocker, but only if you’ve earned it

The second confirmed issue is a BitLocker recovery prompt on first restart after install, on a narrow class of enterprise-hardened machines. The trigger needs all four conditions at once: BitLocker active on the OS drive; a Group Policy that explicitly includes PCR7 in the TPM platform validation profile for native UEFI firmware; msinfo32 reporting “PCR7 binding is not possible”; and the Windows UEFI CA 2023 certificate present in the Secure Boot database before the device has transitioned to the 2023-signed Boot Manager.

If you’re reading that list and nodding, you already know whether you have the policy. If you’re reading it and shrugging, you almost certainly don’t. Default-configured consumer and business machines are not in this path.

Microsoft’s workaround is to set the TPM platform validation policy to “Not configured” in Group Policy before installing, then rebind BitLocker. Or post-install, supply the recovery key once and correct the policy. Either way, the prerequisite is knowing every device on your fleet has its recovery key escrowed in AD or Azure AD. If you can’t audit that before Tuesday, that alone is a reason to wait.

Worth noting: KB5083631 also triggers up to two restarts during install on devices eligible for the 2023 Secure Boot certificate refresh. This is expected behavior. The extra restart writes updated certificate material ahead of the Windows UEFI CA 2011 certificate’s June 2026 expiry. On modern hardware it’s 10 to 15 minutes. Powering off mid-sequence can leave firmware in an inconsistent state, so don’t.

A user report on Microsoft Q&A claims all open windows randomly minimize to the taskbar after install. As of early May 2026, Microsoft has not acknowledged it and no major outlet has corroborated. Single-source. Treat it as anecdotal.

The decision

Your situation	Call
Standard fleet, Patch Tuesday cadence	Skip. May 12 brings the same fixes plus security patches.
Macrium 8.x, Acronis CPC, NinjaOne, or UrBackup in your recovery plan	Hold. No vendor patch yet, and the preview won’t fix what April already broke.
BitLocker with PCR7 in the TPM validation GP, no audited key escrow	Hold. Audit escrow first.
Already symptomatic (DO RAM leak, explorer.exe pile-up, startup-app stalls, FAT32 > 32 GB at CLI)	Install in a pilot ring.
Dev/QA ring whose job is validating next month’s build	Install. That’s what the preview is for.
Auditing Secure Boot readiness for the June 2026 UEFI CA 2011 expiry	Install on test hardware.

Skipping costs nothing on the security side. The blocklist hardening already arrived with April Patch Tuesday. The CVE-2024-30098 audit logging improvement is genuinely useful (it now includes the affected application name in events for the Windows Cryptographic Services bypass), but it is not a fire.

The window

May 12 is three days out from this writing. If you’re a shop that approves cumulatives in a pilot ring on Patch Tuesday and broad-deploys the following week, your real homework isn’t KB5083631 at all. It’s confirming the four affected backup products are accounted for, your BitLocker recovery key escrow is current, and your test ring has a machine that exercises both. Because every issue in this preview is going to ship again on May 12, this time bundled with the month’s CVE patches and no longer optional.

Optional previews exist so someone else finds the broken backup software first. This month, that someone else has already filed the report. The professional move is to read it.

PatchDay Alert covers Patch Tuesday and the off-cycle changes that should actually move your plan. KB5083631 isn’t one of them. May 12 will be.