WireGuard, a major software project and VPN behind popular security software such as Mullvad, has been locked out of key parts of Microsoft developer accounts, preventing it from distributing software updates to Windows users.
Jason Donenfeld, developer of the open source WireGuard VPN software, told TechCrunch that he has been locked out of his Microsoft developer account and, as a result, cannot sign drivers or distribute updates for WireGuard for Windows users that are essential to running the software. Donenfeld said in a post on X on Wednesday that WireGuard updates have been stopped due to account suspension.
This is the second incident in which a well-known and widely used open source project has been locked out of customers due to a surprise suspension from Microsoft, with popular encryption software VeraCrypt also facing a similar situation. Both developers said Microsoft locked them out of their accounts without first warning them.
In the case of VeraCrypt, which is used by hundreds of thousands of users to encrypt files and operating systems, developer Munir Idrash told TechCrunch that being locked out of an account means the software cannot be updated in time for key certificate authority expirations, potentially leaving some users unable to launch.
WireGuard developer Donnenfeld told TechCrunch in an email: “If there was a critical vulnerability that needed to be fixed right now – and there is not! Hypothetically – then users would be completely at risk.”
WireGuard is open source VPN software used around the world to connect devices over the Internet. WireGuard's code is extremely popular for its simplicity and security, as it serves as the basis for many VPN implementations and commercial services (such as Proton and Tailscale) that rely on it.
Donenfeld told TechCrunch in an email that he had spent the past few weeks modernizing WireGuard's Windows code and was ready to send a copy update to Microsoft for checking before shipping it to users, but encountered a “restricted access” error when logging into the developer portion of his Microsoft account.
Donnenfeld said that even though he went through the process of getting his driver's license or passport verified with Microsoft (the third party Microsoft uses for verification said he was “verified”), his access was still suspended.
Donnenfeld told TechCrunch that he found a page on Microsoft's website stating that the company was “requiring all Windows Hardware Program partners who have not yet completed account verification to do so starting in April 2024,” but that the verification program has since ended.
Microsoft's Windows Hardware program allows developers like Donenfeld and VeraCrypt's Idrassi to “deploy hardware and device drivers for Windows PCs and other devices.” Because drivers can grant vast access to the operating system and its data, and are therefore known to be exploited by hackers, the ability to develop and release drivers for Windows users is restricted to vetted and known developers.
This account verification process meant that developers had to upload a government-issued ID before releasing sensitive code to the broader Windows user base.
“Microsoft hasn't sent me any notifications about this. I've looked in every inbox, every email log, every spam folder, and there's nothing,” Donnenfeld said.
The Windows Hardware Program Validation Program has been “terminated,” and developers who fail to upload documentation have had their accounts “suspended,” the page says, and those accounts will no longer be able to submit updates.
Donnenfeld said he was referred to Microsoft's executive support team, which handles customer service and celebrity account requests, which confirmed that his appeal had been received, but said he had to wait 60 days for a review.
By late Wednesday, there was a glimmer of hope in Donnenfeld's case. He told TechCrunch that he has finally been able to get in touch with Microsoft and hopes the issue will be resolved soon.
Microsoft did not immediately comment when contacted by TechCrunch.
The account lockout issue is also affecting others, and Donnenfeld and Idrassi are not alone.
Windscribe, a maker of VPNs and other consumer privacy tools, said in a post on X that it was also locked out of its Partner Center account. The company said it had had verified accounts for more than eight years to sign drivers.
“We have been trying to resolve this issue for over a month and have been unsuccessful. Support is non-existent,” Windscribe said in a post. “Do you know anyone who still works at Microsoft who has the brains to help?”