Microsoft Locked Out VeraCrypt, WireGuard, and Windscribe: What Happened and Why It Matters

IT & Systems
, , , ,
1

In April 2026, Microsoft’s automated enforcement of a new policy locked out the developers of VeraCrypt, WireGuard, and Windscribe from shipping Windows updates. Here is what happened, why it matters, and what you should do.

What Happened

Starting around April 7, 2026, developers of several widely used open-source security tools began reporting that their Microsoft Partner Center accounts had been suspended without warning.

The three most prominent projects affected were:

  • VeraCrypt: open-source full disk encryption, used by an estimated one million Windows users
  • WireGuard: fast, modern VPN protocol with a widely used Windows client
  • Windscribe: VPN service with a Windows application requiring signed kernel drivers
  • MemTest86: memory testing tool that requires kernel-level access

VeraCrypt developer Mounir Idrassi was the first to go public, posting to the VeraCrypt SourceForge forum that his account had been terminated with no prior warning, no explanation, and no path to appeal. Repeated attempts to reach Microsoft through official channels returned only automated replies.

WireGuard creator Jason Donenfeld ran into the same wall when he tried to certify a new kernel driver for Windows and found his account showing as access restricted. He located a Microsoft appeals process, but it listed a 60-day response window. Windscribe reported it had held a verified Partner Center account for over eight years before the suspension hit.

Why This Happened

Microsoft introduced a mandatory identity verification requirement for all Windows Hardware Program partners who had not completed verification since April 2024. The policy took effect on October 16, 2025, giving partners a 30-day window from notification to verify with a government-issued ID. That ID also had to match the name of the Partner Center primary contact on file.

Accounts that missed the deadline or failed verification were suspended, with no further submissions allowed.

Microsoft EVP for Windows and Devices Pavan Davuluri said the company had sent emails, banners, and reminders ahead of the deadline. Some of those communications never reached the developers. Windscribe noted it spent over a month trying to resolve the issue internally before going public.

The policy exists for a real reason. Kernel driver signing is a gating mechanism that stops malicious software from loading at the deepest level of Windows. Tightening the identity requirements for who can sign drivers is not unreasonable on its face. The failure was in the execution and in the support process that left critical security developers with no path to resolve the issue.

The Impact on Users

This is the part that matters to you as a user.

Kernel driver signing is required for software to load on Windows at the system level. Without a valid signed driver, Windows flags the software and blocks it from running. For encryption and VPN tools, this is not optional.

VeraCrypt developer Mounir Idrassi warned that if the suspension remained unresolved, Secure Boot would refuse to allow VeraCrypt to encrypt system drives as of June 2026. He described this as a potential “death sentence for VeraCrypt” on Windows.

WireGuard simply could not ship any updates for its Windows client. Any security patches needed during that window could not reach users.

The core problem: the security of your data on Windows is not fully in the hands of the tool developers you trust. It also depends on whether those developers maintain standing with Microsoft’s administrative systems.

How It Was Resolved

The incident gained wider attention when Epic Games CEO Tim Sweeney highlighted it publicly. That brought it to the direct attention of Pavan Davuluri. Microsoft VP Scott Hanselman stepped in on X to confirm the company was working to fix it, describing the suspensions as an administrative paperwork issue rather than intentional enforcement against these projects.

Hanselman stated he had personally reached out to both Mounir Idrassi and Jason Donenfeld.

WireGuard had its account restored by April 9, 2026. VeraCrypt’s account was confirmed restored by April 14, 2026. Both developers confirmed they could resume signing and shipping Windows updates.

Microsoft said it would review how it communicates policy changes of this type to developers going forward. No formal policy change to the enforcement process was announced.

What This Means for Open Source on Windows

The accounts were restored. But the incident exposed something worth thinking about.

Every open-source security tool that ships a Windows kernel driver is one administrative failure away from being unable to update. The appeals process for a suspended account listed a 60-day window. For a security tool, 60 days without the ability to patch a vulnerability is a serious gap.

This also connects to a broader pattern. Open-source projects typically run on small teams, sometimes a single developer. They do not have dedicated Microsoft relations staff. A large company with an account manager would likely have resolved this in hours. A solo developer gets automated replies.

If you use security-sensitive tools on Windows, this is worth keeping in mind when you think about your update and patch habits. Always run the latest version of tools like VeraCrypt and WireGuard, especially after incidents like this where delayed updates create gaps.

What You Should Do Right Now

  1. VeraCrypt on Windows: confirm you are running the latest signed release from veracrypt.fr. If you had auto-updates paused during April 2026, update now.
  2. WireGuard on Windows: confirm you are on the latest release from wireguard.com. Jason Donenfeld confirmed updates resumed after account restoration.
  3. Any kernel-level security tool on Windows: check for updates if you did not do so between early April and mid-April 2026.

Related Reading

Sources

Encryption in Transit and At Rest: What Each One Does and When You Need Both