Microsoft just locked the developer account of Jason Donenfeld, the person responsible for the widely used open-source VPN technology, WireGuard. This cut off his ability to sign drivers and ship updates to those who use Windows. The lockout leaves millions of users open to potential security gaps, without any clear timeline for resolution.
Donenfeld confirmed the issue to TechCrunch, warning of the danger this creates. According to his statement, if any critical vulnerability should surface in the long run, though there isn’t at the moment, users would for sure get hit.
WireGuard powers some of the internet’s most trusted security infrastructure. Proton VPN, Tailscale, and Mullvad all build on its code. Its simplicity and strong security record have made it the backbone of countless commercial VPN services worldwide. A developer account lockout, however routine it may seem on Microsoft’s end, carries serious consequences for this ecosystem.
Microsoft’s silent verification sweep blindsides developers
Microsoft’s Windows Hardware Program recently wrapped up a mandatory account verification exercise requiring all enrolled developers to upload government-issued identification. The program targeted partners who had not completed verification since April 2024. Developers who missed the window had their accounts suspended without warning.
Donenfeld had no idea the deadline existed. Microsoft sent him nothing; no email, no alert, no notification of any kind. “I’ve looked in every inbox, every spam folder, every mail log, zero, nothing, zilch,” he said.
He discovered the policy only after stumbling onto a page buried in Microsoft’s website. By then, the verification window had already closed. His account was suspended, and his ability to push a pending WireGuard update to Windows users was dead on arrival.
In contrast, Google’s recent privacy policy updates focus on giving Chrome extension users more control over their data and introducing additional privacy protections, showing a different approach to platform governance that prioritizes user transparency over developer verification.
He had spent weeks modernizing WireGuard’s Windows code and was ready to submit it for Microsoft’s checks when an “access restricted” error stopped everything.
Donenfeld attempted to fix the situation through Microsoft’s own verification process, completing an ID check with the third-party service Microsoft uses. That service confirmed his identity. Microsoft still kept his access suspended.
His case eventually reached Microsoft’s executive support team, which handles high-profile account issues, but that team told him the review process could take up to 60 days.
WireGuard is not the only victim
WireGuard’s lockout is not an isolated case. Microsoft’s verification sweep has caught other major developers in the same trap.
Encryption software VeraCrypt, which hundreds of thousands of users rely on to encrypt files and entire operating systems, suffered the same fate. Its developer, Mounir Idrassi, told TechCrunch that Microsoft locked him out of his account without any prior notice.
His situation carries an even sharper urgency, the lockout prevents him from updating VeraCrypt ahead of a critical certificate authority expiry. That expiry, he warned, could prevent some users from booting up their systems entirely.
Windscribe, a VPN and consumer privacy tools company, also confirmed that Microsoft locked it out of its Partner Center account, despite holding a verified account for over eight years.
According to Windscribe on X, they’ve tried resolving this for more than a month, and all to no avail. Support is non-existent. “Does anyone know a human with a brain that still works at Microsoft and can help?” Windscribe asked.
The Windows Hardware Program exists for a legitimate reason. Drivers carry enormous access to an operating system’s core functions, and hackers have historically exploited them to breach systems. Restricting driver publishing to vetted developers makes sense as policy. Suspending accounts with no warning, however, undermines the very developers keeping Windows users secure.
A partial resolution emerges but damage lingers
By late Wednesday, Donenfeld’s case showed signs of movement. He told TechCrunch that Microsoft had finally made contact and that a resolution appeared to be within reach. Microsoft, however, offered no public comment when TechCrunch reached out.
The broader damage, though, remains. Multiple high-profile open-source projects lost weeks of update capability, leaving their users unable to receive patches during that window. Microsoft’s silent sweep prioritised compliance paperwork over the security of millions of Windows users who depend on these tools daily.
The impact is particularly significant for WireGuard users because the protocol’s speed advantages have made it the preferred choice for privacy-conscious users who don’t want to sacrifice performance, and any delay in updates could leave these users vulnerable.
For Donenfeld and the wider open-source community, the episode underscores a fragile reality; one policy change, one missed email, one closed verification window, and critical software stops moving.
