WireGuard, an open-source VPN project used by security software including Mullvad and others, has been blocked from shipping Windows updates after its creator, Jason Donenfeld, reported that Microsoft locked his developer account. Donenfeld told TechCrunch that the account termination prevented him from signing drivers and sending WireGuard updates for Windows users—a critical issue because Windows driver signing is required for software to install and function on the platform.
Account Lockout Halts WireGuard’s Windows Update Pipeline
According to Donenfeld’s account to TechCrunch, he was locked out of his Microsoft developer account without prior notification, preventing him from signing the necessary drivers or shipping updates for WireGuard for Windows. Donenfeld said in a post on X on Wednesday that the account termination stopped a WireGuard update from shipping.
The mechanism is straightforward: without access to the Microsoft developer account, the project cannot perform the steps required to produce signed artifacts for Windows users. Driver signing is a prerequisite for updates to reach Windows deployments. Donenfeld noted that he had spent the past few weeks modernizing WireGuard’s Windows code and was ready to send a copy update when the account was locked.
Second Open-Source Project Faces Similar Account Termination
This is the second high-profile case of an open-source project being shut out from its distribution channel due to what developers describe as an abrupt account termination from Microsoft without prior notice. In a parallel incident, VeraCrypt developer Mounir Idrassi told TechCrunch that being locked out of his Microsoft account meant he could not update the software in time for a crucial certificate authority expiry, which he said may prevent some users from booting.
Both developers reported that Microsoft locked them out of their accounts without first alerting them. In WireGuard’s case, Donenfeld told TechCrunch that he could not ship updates for Windows users. He also said in an email: “If there were a critical vulnerability to fix right now — there isn’t! I just mean hypothetically — then users would be totally exposed.”
Why This Matters for VPNs and Security Software on Windows
WireGuard is an open-source VPN software used globally to connect devices over the internet. WireGuard’s code is widely adopted for its simplicity and security, serving as the foundation for many VPN implementations and commercial services that rely on its code, including Proton and Tailscale.
The impact of the account lockout is distribution-related: updates for Windows depend on the ability to sign drivers and publish update artifacts. If that signing step is blocked, downstream users may be unable to receive fixes or time-sensitive changes. While the incident centers on account access rather than a flaw in WireGuard’s code, the operational consequence is significant. Donenfeld’s statement underscores that a hypothetical urgent fix would leave users exposed if updates cannot be shipped, highlighting a broader dependency: security projects often rely on external platforms and credentials to deliver updates.
What Comes Next
The immediate question for WireGuard users is whether the project can regain the ability to sign drivers and resume Windows updates. Donenfeld said the account termination stopped a WireGuard update from shipping, indicating a disruption to the normal release cadence.
More broadly, the VeraCrypt example suggests that account access issues can intersect with time-based security maintenance. Both incidents involve different projects but are tied to Microsoft account access affecting the ability to update software in ways required for continued operation. For the industry, this could prompt increased attention to how open-source maintainers handle signing credentials and update dependencies on third-party platforms. The source material does not describe any policy change from Microsoft or concrete remediation steps, so it remains unclear how quickly maintainers can restore Windows release capability after account access is disrupted.
Source: TechCrunch