Microsoft locks open source devs out of their accounts
Windows users of VeraCrypt and WireGuard are not currently receiving updates
Microsoft has locked the lead developers of two prominent open source security projects out of their accounts.
The company says it blocked the VeraCrypt and WireGuard developers' accounts due to their failure to complete a mandatory account verification process for the Windows Hardware Program. This process was introduced in October 2023, with a 30-day deadline for compliance.
Microsoft claims to have sent emails and reminders since October 2023, but the developers said they received no notifications or warnings before their accounts were suspended.
With their accounts inaccessable, the developers cannot sign Windows drivers and bootloaders or publish updates, security patches or new builds for their software for Windows users. Third-party software relies on signed drivers to function securely under Windows' Secure Boot and other security requirements.
VeraCrypt is cross platform open source disk encryption software, while WireGuard is a modern VPN protocol. Both have an estimated user base in the tens of millions.
Linux and macOS users are not affected.
The developers report a lack of communication, no clear appeals process, and difficulty reaching human support, which has exacerbated the issue.
"Microsoft terminated the account I have used for years to sign Windows drivers and the bootloader,” commented Mounir Idrassi of VeraCrypt on a post on Sourceforge. “Microsoft did not send me any emails or prior warnings. I have received no explanation for the termination and their message indicates that no appeal is possible."
Idrassi added: "I have tried to contact Microsoft through various channels, but I have only received automated replies and bots. I was unable to reach a human."
WireGuard head Jason Donenfeld said: "No warning at all, no notification. One day I sign in to publish an update, and yikes, account suspended. Currently undergoing some sort of 60 days appeals process, but who knows."
Fortunately, neither project has an urgent security issue requiring patching, which would put Windows users at risk.
WireGuard and VeraCrypt are not the only projects to suffer a block. Developers from Windscribe and MemTest86 say they have also been affected.
Following media coverage and a public outcry, Microsoft vice president Scott Hanselman intervened to help reinstate the suspended accounts. He said on X he has spoken to both Donenfeld and Idrassi, adding, “All being fixed as we speak.”