WireGuard, the major software and VPN project that powers popular security software including Mullvad and others, has found itself blocked from a key part of Microsoft’s developer account and unable to send software updates to Windows users.
Jason Donenfeld, the creator of the open-source WireGuard VPN software, told TechCrunch that he has been banned from his Microsoft developer account and therefore cannot sign drivers or send updates to WireGuard users for Windows, which are critical to running his software. Donenfeld said in a post on X on Wednesday that account termination stopped sending a WireGuard update.
It is the second such incident of a high-profile and widely used open source project being locked out of its customers due to an apparently abrupt account termination by Microsoft, with popular encryption software VeraCrypt facing a similar circumstance. Both developers said Microsoft locked them out of their accounts without notifying them.
In the case of VeraCrypt, which is used by hundreds of thousands of users to encrypt files and operating systems, its developer Mounir Idrassi told TechCrunch that locking out his account means he’s unable to update the software in time for a critical certificate authority to expire, which he said could prevent some users from booting.
Donenfeld, the developer of WireGuard, told TechCrunch in an email: “If there was a critical vulnerability to patch right now – there isn’t! I mean just hypothetically – then users would be completely exposed.”
WireGuard is an open source VPN software used worldwide to connect devices over the Internet. WireGuard’s code is particularly popular for its simplicity and security, serving as the foundation of many VPN applications and commercial services based on its code, such as Proton and Tailscale.
Donenfeld told TechCrunch in an email that he spent the past few weeks updating WireGuard’s Windows code and was ready to send a copy update to Microsoft for reviews before it was sent to users, but he encountered a “restricted access” error when logging into the developer section of his Microsoft account.
Despite the process of verifying his driver’s license or passport with Microsoft (the third party Microsoft uses for verification said it was “verified”), Donenfeld said his access is still suspended.
Donenfeld told TechCrunch that found a page on Microsoft’s website saying that the company was conducting “mandatory account verification for all Windows Hardware Program partners who have not completed account verification starting in April 2024,” but that the verification program has since been shut down.
Microsoft’s Windows Hardware Program allows developers like Donenfeld and VeraCrypt’s Idrassi to “deploy hardware and device drivers for Windows PCs and other devices.” The ability to develop and release drivers for Windows users is limited to well-known and vetted developers, as drivers can grant enormous access to an operating system and its data and are known to be abused by hackers for this reason.
This account verification process meant that developers had to upload their government-issued ID before they were allowed to publish potentially highly sensitive code to the wider Windows user base.
“Microsoft has never sent me any notification whatsoever about this. I’ve looked in every inbox in every spam folder in every mail log and zero, nothing,” Donenfeld said.
The Windows Hardware Program verification program is “now complete” and developers who haven’t uploaded their documents have had their accounts “suspended,” the page reads, meaning those accounts can no longer send updates.
Donenfeld said he was referred to Microsoft’s executive support team, which handles customer service and account requests for high-profile individuals, who confirmed his appeal had been received but that they had to wait up to 60 days for a review.
As of late Wednesday, there was a glimmer of hope in Donenfeld’s case. He told TechCrunch that he has finally been in touch with Microsoft and that hopefully the issue will be resolved soon.
Microsoft did not immediately comment when reached by TechCrunch.
Donenfeld and Idrassi are not alone, with account lockout issues affecting others as well.
Windscribe, a maker of VPNs and other consumer privacy tools, said in a post on X that he had also been banned from his Partner Center account. The company said it had a verified account for more than eight years in order to sign up its drivers.
“We’ve been trying to resolve this for over a month and getting nowhere. Support is non-existent,” Windscribe said in its post. “Does anyone know a person with a brain still working at Microsoft who can help?”
