Microsoft auto-suspends VeraCrypt, WireGuard, MemTest86 dev signing accounts

Microsoft silently terminated Windows Hardware Program signing accounts belonging to maintainers of WireGuard, VeraCrypt, MemTest86, and Windscribe, cutting off their ability to publish signed Windows builds and security patches. Maintainers received no individual warning, hit only bots and automated replies when attempting appeal, and faced a 60-day process with no guarantee of reinstatement. WireGuard’s Jason Donenfeld flagged the obvious failure mode: a critical RCE under active exploitation would have no path to a signed emergency update.

Microsoft VP Scott Hanselman responded only after TechCrunch reporting, attributing the suspensions to a mandatory partner verification process running since October 2025, with rejection-state accounts auto-suspended on March 30. Microsoft EVP Pavan Davuluri acknowledged communication gaps and said the company would review how it signals such changes. Reinstatement appears to require press attention rather than the documented appeal channel — Idrassi confirmed his account moved only after media coverage.

The incident exposes a structural fragility in the Windows code-signing supply chain: a single vendor’s automated compliance sweep can sever the signing path for security-critical OSS that ships to millions of Windows endpoints, with no out-of-band escalation route for maintainers. Bulk-process verification logic was applied to projects whose disruption carries asymmetric downstream risk, and the human-review backstop did not exist until journalists were involved.