A wave of abrupt account suspensions within Microsoft’s developer ecosystem has left several high-profile open-source security projects unable to ship vital software updates. WireGuard, the modern VPN protocol that powers services like Mullvad, Proton, and Tailscale, is among the most prominent victims of this administrative lockdown.
The Driver Signing Deadlock
Jason Donenfeld, the creator of WireGuard, reported being locked out of his Microsoft developer account just as he was prepared to ship modernized code for Windows users. This is not a mere login error; it is a functional roadblock. Because Windows requires cryptographically signed drivers to ensure system security, a developer without account access cannot authorize the low-level code necessary for a VPN to function.
Donenfeld noted that while no active exploits currently exist, the lockout creates a dangerous vacuum. If a zero-day vulnerability were discovered today, he would be powerless to push a patch to Windows users, leaving them indefinitely exposed.
A Pattern of Silent Suspensions
WireGuard is not alone in this struggle. Other essential security tools are facing similar hurdles:
- VeraCrypt: Developer Mounir Idrassi warned that the lockout prevents him from updating a crucial certificate authority. Without this update, some users may eventually be unable to boot their encrypted systems.
- Windscribe: The VPN provider claimed they have been locked out for over a month despite having a verified account for eight years, describing Microsoft’s support as “non-existent.”
The Verification Trap
The root of the issue appears to be a mandatory verification sweep for the Windows Hardware Program. Microsoft recently required partners to submit government-issued identification to maintain their status. However, affected developers claim they received no prior warning or email notifications.
While Donenfeld eventually submitted his ID through a third-party portal, his account remained restricted. Microsoft’s executive support suggested a review could take up to 60 days—an unacceptable timeline for maintaining critical security infrastructure.
Though Donenfeld has recently established contact with Microsoft to resolve the matter, the incident highlights the fragility of the open-source supply chain when it relies on centralized, automated gatekeepers.
