WireGuard, the major software project and VPN that supports popular security software including Mullvad and others, has found itself locked out of a key part of its Microsoft developer account and unable to send software updates to Windows users.
Jason Donenfeld, the creator of the open source WireGuard VPN software, told TechCrunch that he has been locked out of his Microsoft developer account and as a result cannot sign drivers or send updates to WireGuard to Windows users, which are essential for its software to run. Donenfeld said in a post on X on Wednesday that the account termination prevented a WireGuard update from being sent.
It is the second such incident in which a high-profile and widespread open source project has been shut out from its customers due to an apparently abrupt account termination by Microsoft, with popular encryption software VeraCrypt facing a similar situation. Both developers said Microsoft locked them out of their accounts without warning them first.
In the case of VeraCrypt, which is used by hundreds of thousands of users to encrypt files and operating systems, its developer Mounir Idrassi told TechCrunch that being locked out of his account means he is unable to update the software in time for a crucial certificate authority expiration, which he said could prevent some users from booting.
Donenfeld, the WireGuard developer, told TechCrunch in an email: “If there was a critical vulnerability to fix right now — there isn’t! I mean just hypothetically — then users would be completely exposed.”
WireGuard is an open source VPN software used worldwide to connect devices over the Internet. WireGuard’s code is very popular for its simplicity and security, as it serves as the foundation for many VPN implementations and commercial services that rely on its code, such as Proton and Tailscale.
Donenfeld told TechCrunch in an email that he has spent the past few weeks modernizing WireGuard’s Windows code and was ready to send a copy update to Microsoft for review before it can be sent to users, but was met with an “access restricted” error when he logged into the developer portion of his Microsoft account.
Despite going through the process to verify his driver’s license or passport with Microsoft (the third party Microsoft uses for verification said he was “verified”), Donenfeld said his access was still suspended.
Donenfeld told TechCrunch that he found a page on Microsoft’s website that said the company had performed “mandatory account verification for all Windows Hardware Program partners who have not completed account verification since April 2024,” but that the verification program had since been closed.
Microsoft’s Windows Hardware Program allows developers like Donenfeld and VeraCrypt’s Idrassi to “deploy hardware and device drivers for Windows PCs and other devices.” The ability to develop and release drivers for Windows users is limited to known and vetted developers, as drivers can provide enormous access to an operating system and its data and are known to be misused by hackers for that reason.
This account verification process meant that developers had to upload their government-issued ID before they were allowed to release potentially highly sensitive code to the wider Windows user base.
“Microsoft has never sent me any notice whatsoever about this. I’ve looked in every inbox, every spam folder, every email log, and zero, nothing, zero,” Donenfeld said.
The Windows hardware program verification program has “now ended,” and developers who haven’t uploaded their documents had their accounts “suspended,” the page says, meaning those accounts can no longer send updates.
Donenfeld said he was referred to Microsoft’s executive support team, which handles customer service and account requests for high-profile individuals, who confirmed that his appeal had been received, but that they had to wait as long as 60 days for review.
As recently as Wednesday, there was a glimmer of hope in Donenfeld’s case. He told TechCrunch that he was finally in touch with Microsoft and that the issue would hopefully be resolved soon.
Microsoft did not immediately comment when reached by TechCrunch.
Donenfeld and Idrassi are not alone, and the account lockout issues are affecting others as well.
Windscribe, a maker of VPN and other consumer protection tools, said in a post on X that it had also been locked out of its Partner Center account. The company said it had a verified account for over eight years to sign up its drivers.
“We’ve been trying to resolve this for over a month and getting nowhere. Support is non-existent,” Windscribe said in its post. “Does anyone know a human with a brain still working at Microsoft who can help?”