Microsoft has banned the developer accounts of high-profile open-source projects, allegedly without warning, leaving them unable to publish software updates.
The alleged surprise ban left Windows users of the popular cybersecurity software products vulnerable to various threats. However, the developers can still publish software updates for Mac and Linux users.
Microsoft bans major open-source projects
Microsoft banned the developer accounts of various open-source projects, including Virtual Private Network (VPN) software Windscribe and WireGuard, free open-source disk encryption software VeraCrypt, and RAM diagnostic tool MemTest86. Other open-source project maintainers, who did not go public, were also likely affected by the ban.
Explaining the ban, Microsoft claimed the affected developer accounts had provided information that failed to meet the verification requirements. However, the tech giant did not give the banned developer accounts an opportunity to appeal or update their account details.
“There are no appeals available, we have closed your application,” the ban message stated.
Subsequently, the open-source project maintainers expressed their frustrations when trying to contact Microsoft. They claimed that Microsoft only sent automated messages.
“I have tried to contact Microsoft through various channels but I have only received automated replies and bots. I was unable to reach a human,” said VeraCrypt developer Mounir Idrassi.
However, WireGuard maintainer Jason A. Donenfeld said appeals were possible via support tickets, but they required a non-suspended account.
“The appeals process requires filing a support ticket, but filing a support ticket requires a non-suspended account… Catch-22,” the developer stated.
After jumping through hoops to submit the support ticket via Azure, the WireGuard developer claims they were told to wait for 60 days. The unexpected delay could give attackers ample time to exploit the software if it were affected by an exploited remote code execution (RCE) security vulnerability.
“What if there were some critical RCE in WireGuard, being exploited in the wild, and I needed to update users immediately?” Donenfeld asked.
Major oversight by developers or miscommunication by Microsoft?
Microsoft says it has emailed developers since October 2025 about the new developer verification requirements, announced in April 2024 and kicked off on October 16, for which failure to comply resulted in automatic suspension of the developer accounts.
On March 30, Microsoft also announced that the verification process had concluded and that all unverified developer accounts would be automatically suspended and would not be eligible to appeal.
“Accounts that did not successfully complete account verification and received a Rejected verification status have been suspended from the Windows Hardware Program, and submissions from these accounts are no longer permitted.”
Additionally, Microsoft’s EVP for Windows and Devices, Pavan Davuluri, stated that the tech giant had published a blog article reminding developers to complete the verification process to avoid a total ban.
In 2023 and 2024, Google tightened verification requirements for Play Store developer accounts, requiring identity verification. However, the tech giant set clear deadlines and posted notifications and banners, reminding operators to complete the verification process on time.
“The automated suspension of developer accounts for critical open-source projects like WireGuard and VeraCrypt highlights a fragile point of failure in the software supply chain: the centralized gatekeeping of kernel-level trust,” said John Carberry, Solution Sleuth, Xcape. “While Microsoft attributes the lockouts to a mandatory identity verification sweep for its Windows Hardware Program, the execution – marked by zero effective notification and a 60-day appeal process – is a catastrophic failure of partner communication.”
“For security products that rely on signed drivers to function under Secure Boot, this is not just an administrative hurdle; it is a total block on emergency patching. If a zero-day were discovered in these tools tomorrow, millions of Windows users would be left defenseless because of a ‘Rejected’ status in an automated verification dashboard,” added Carberry.
Microsoft reinstates banned developer accounts of high-profile open-source projects
Microsoft has acknowledged the faux pas and promised it was working to reinstate the banned developer accounts of high-profile open-source projects.
“We’ve seen these reports and are actively working to resolve this as quickly as possible,” said Microsoft’s EVP for Windows and Devices. “We’ve reached out to VeraCrypt and have spoken to Jason at WireGuard, they should be back up and running soon.”
Still, it makes you wonder whether other open-source projects would have received the same treatment if this ban had not blown up the headlines.
“Although executive intervention is currently fast-tracking reinstatements for high-profile maintainers, this incident proves that the current attestation model lacks the resilience required for critical infrastructure,” added Carberry.
Even more concerning is the fact that the affected open-source projects are major cybersecurity products, used by millions of people. Nevertheless, Microsoft claims it had given the necessary alerts, and it was working to rectify the situation.
