diff --git a/qubes/api/admin.py b/qubes/api/admin.py
index 13435a458..60417b18c 100644
--- a/qubes/api/admin.py
+++ b/qubes/api/admin.py
@@ -694,8 +694,11 @@ def pool_add(self, untrusted_payload):
         self.enforce(pool_name not in self.app.pools)
 
         driver_parameters = qubes.storage.driver_parameters(self.arg)
-        self.enforce(
-            all(key in driver_parameters for key in untrusted_pool_config))
+        unexpected_parameters = [key for key in untrusted_pool_config
+                                 if key not in driver_parameters]
+        if unexpected_parameters:
+            raise qubes.exc.QubesException(
+                'unexpected driver options: ' + ' '.join(unexpected_parameters))
         pool_config = untrusted_pool_config
 
         self.fire_event_for_permission(name=pool_name,
diff --git a/qubes/tests/api_admin.py b/qubes/tests/api_admin.py
index 0e7a1aa51..6623ba73b 100644
--- a/qubes/tests/api_admin.py
+++ b/qubes/tests/api_admin.py
@@ -768,7 +768,7 @@ def test_160_pool_add_invalid_param(self, mock_parameters, mock_drivers):
 
         add_pool_mock, self.app.add_pool = self.coroutine_mock()
 
-        with self.assertRaises(qubes.api.PermissionDenied):
+        with self.assertRaises(qubes.exc.QubesException):
             self.call_mgmt_func(b'admin.pool.Add', b'dom0',
                 b'driver1', b'name=test-pool\nparam3=some-value\n')
         self.assertEqual(mock_drivers.mock_calls, [unittest.mock.call()])