Microsoft Locks OSR Out of Driver Signing After VeraCrypt, WireGuard, Windscribe
Why is this Microsoft meme funny?
Level 1: The Only Key-Maker in Town
Imagine a town where, by law, every shop's front-door key must be cut by one single locksmith — no exceptions, no competitors. One week the locksmith's shop starts turning people away over paperwork mix-ups: first a small bakery, then the pharmacy, then the hardware store, and finally the person who taught the locksmith how to cut keys in the first place. Nobody can open their shops, the locksmith won't explain, and the whole town is yelling. The post is one bystander watching this unfold and concluding that this many "coincidences" means the problem isn't the shopkeepers — something is badly broken inside the locksmith's office, and everyone is locked out until someone there notices.
Level 2: Words You'll Meet in the Postmortem
- Driver: software that runs inside the operating system's core (the kernel) to talk to hardware or hook low-level behavior. Kernel code can do anything, so Windows refuses to load drivers that aren't cryptographically signed.
- Driver signing / attestation: the vendor uploads their driver to Microsoft's Partner Center, and Microsoft applies a digital signature vouching for it. No signature, no load — there's no "Are you sure? [Yes]" button for kernel drivers on a normal machine.
- OSR, VeraCrypt, WireGuard, Windscribe: respectively, the most respected Windows-internals consultancy, the standard open-source disk-encryption tool, a widely admired VPN protocol, and a commercial VPN. All need kernel drivers; all reported being locked out.
- Single point of failure: when one component's outage takes down everything depending on it. Junior engineers learn this about databases and load balancers; this episode teaches that bureaucratic processes can be one too. Your CI/CD pipeline can be green everywhere and your release still dies in someone else's approval queue.
Level 3: The Disrespect and Disregard
"After 30+ years of signing windows drivers, we have been locked out of driver signing like many other companies."
That quoted line is from @OSRDrivers — and if that name means nothing to you, that's exactly the point of the poster's "Holy FUCKING shit." OSR is the consultancy that effectively wrote the institutional knowledge of Windows driver development: the seminars, the NT Insider articles, the debugging lore Microsoft's own documentation quietly leans on. Locking OSR out of driver signing is like the DMV revoking the license of the person who designed the driving test.
The escalation pattern the poster narrates is the truly damning part. One lockout (VeraCrypt — disk encryption) is an anecdote. Two (WireGuard — the VPN protocol whose Windows kernel driver is a model citizen) is a coincidence. Then Windscribe, and then OSR — and the charitable explanation he initially offered ("oh two people probably made a small mistake, bureaucracy, dumb stuff, weird coincidence") collapses into "a galactic level of fuck up happening somewhere." That's an experienced observer doing incident triage in public: ruling out user error as the lockouts correlate, concluding the fault is systemic — a policy change, a compliance sweep, or an automated trust-and-safety process that nobody with judgment is reviewing.
This is the recurring nightmare of platform gatekeeper risk, the same dynamic developers know from app-store delistings and ad-account bans: your entire business depends on a counterparty whose enforcement arm is an unaccountable queue, whose support channel is a black hole, and whose mistakes are rate-limited only by public shaming on X. The companies hit here aren't fly-by-night adware shops; they're security-critical open-source projects and a 30-year institution. When the compliance process designed to keep malware out of the kernel ends up blocking VeraCrypt while actual attackers cheerfully abuse stolen EV certs and vulnerable signed drivers (the whole BYOVD cottage industry), you get the bitter punchline: the gate inconveniences the law-abiding and merely annoys the criminals. The channel caption — "Legal department vibing really hard too I guess" — lands because everyone assumes the root cause will turn out to be some compliance or legal-process change that nobody war-gamed against its own ecosystem.
Level 4: Ring 0 Has a Landlord
Since 64-bit Windows Vista, Kernel-Mode Code Signing (KMCS) has meant the kernel refuses to load any driver whose signature doesn't chain to a Microsoft-trusted root. Windows 10 build 1607 tightened the screw: new kernel drivers must be signed by Microsoft itself through the Hardware Dev Center / Partner Center attestation process — vendors submit a .cab, Microsoft's portal signs the binary with the "Windows Hardware Compatibility Publisher" certificate, and only then will ci.dll (Code Integrity) bless its load. Cross-signing with third-party CAs was sunset; there is no alternate path short of telling users to disable Secure Boot or boot with testsigning on, which no legitimate vendor can ship.
The security rationale is real — signed-driver enforcement plus HVCI raises the cost of kernel rootkits enormously — but the architecture is a textbook single point of failure: every kernel-mode vendor on Earth funnels through one bureaucratic pipeline with one account system, one email-verification flow, and one appeals process. The kernel's threat model assumes a hostile world; the signing portal's threat model apparently assumes everyone clicks their verification emails on time. When the gatekeeper hiccups, the failure isn't graceful degradation — it's a hard STATUS_IMAGE_CERT_REVOKED-shaped wall between a vendor and 1.4 billion machines.
Description
A dark-mode X (Twitter) post reacting in profanity-laden disbelief: 'Microsoft locked out OSR?! Holy FUCKING shit. I thought VeraCrypt and WireGuard was bad. Dawg, someone at Microsoft is fucking up BAD. This is ridiculous.' The author recounts that the initial excuse was unverified emails ('oh two people probably made a small mistake, bureaucracy, dumb stuff, weird coincidence') 'But then Windscribe... AND OSR?! What the fuck is going on at Microsoft? There is a galactic level of fuck up happening somewhere.' Below is a quoted post from verified @OSRDrivers (1d): 'After 30+ years of signing windows drivers, we have been locked out of driver signing like many other companies. In a word, the disrespect and disregard w... Show more'. Context: Microsoft's Windows hardware/driver signing program (Partner Center attestation) locked out longtime kernel-driver vendors - OSR (the legendary Windows internals consultancy), VeraCrypt, WireGuard, and Windscribe - blocking them from shipping signed drivers and exposing how a single mandatory gatekeeper can break the entire Windows driver ecosystem through bureaucratic process failures
Comments
65Comment deleted
Thirty years of writing the book on Windows drivers, defeated not by PatchGuard but by an email verification flow - the kernel's most privileged ring turns out to be Partner Center
Don't interrupt your enemy making a mistake Comment deleted
Just stop using Windows and let's see how fast they drop their crap Comment deleted
Any alternatives in mind? Comment deleted
Linux? That way, you can keep using the same hardware Just assuming not everyone will be willing to pay for 🍎 Comment deleted
But can it run solidworks? (Extra points if can run pirated solidworks) or Photoshop? Or m$office compatible office? Comment deleted
You are forgetting this is a Dev chat, not general engineering. Linux is not the alternative it's the main solution Comment deleted
So you mean if I am a dev, then I have no need in using non-dev tools? Fine Comment deleted
You might have a need, but probably not a professional need, which means you can dictate what you use. You don't have a company demanding you use a specific 3d modelling solution thay have a licence to for example Comment deleted
Switching to other cad means I can no longer meaningfully share source files with manufacturer and I limit myself by step/stl. Same with adobe stuff and especially office. And by the way, do you know any of "free open source suckless halal linux" alternatives for solidworks, and rest? Comment deleted
STEP and STL are standards, they exist for the purpose of sharing between cad software Comment deleted
Do you share ELF files instead of source code? Comment deleted
STEP is not a windows specific file, it was designed with the goal of cad software interop Comment deleted
neither are real solutions tho Comment deleted
idk, can windows? Comment deleted
What? Comment deleted
i can for example run f360 just fine on linux Comment deleted
but on windows it just works like shit Comment deleted
I wasn't really able to test sw, but in my memory it performed worse than f360 anyway in terms of being a good cad Comment deleted
You’re forgetting how MANY windows as main OS devs is out there, and how many devs have job in one of other way directly linked to it Comment deleted
I'd still wager it's a minority Comment deleted
Also, surprise, surprise, you have to alter your workflows if you migrate to a new os, this is true for migrating from Linux to Windows as well Comment deleted
but it's software for professionals. 99.99% of office workers do well without them. nowadays people simply ask ai to edit their pictures. libreoffice and onlyoffice are Ms compatible. Comment deleted
>Ms compatible. Do you really worked with them? I don't meet incompatibility problems often by myself, but according to mother, libreoffice documents from customers are almost always broken Comment deleted
i worked with those and never got any problems on my side Comment deleted
same applies to Ms office when dealing with different versions and even locales. if you have studied recently, you may recall that you always need to have your presentation as a pdf, because sometimes every office format fails. sharing raw documents is just the wrong way to go. Comment deleted
>you always need to have your presentation as a pdf Fair one. Comment deleted
Gsuite. All your arguments are from the position of not wanting to adapt. There absolutely are reasons to use windows, but you just microsloped your brain to jelly and sit in the swamp of your own accord Comment deleted
>sit in the swamp of your own accord Man... I use both windows and pinux (and second one is actually main os). I had a two year period of "only penguin os" and it was terrible so I switched back to dualboot. In the end goal of OS is to run software and halalOS can't do it sometimes Comment deleted
google doc is doing quite well indeed. but Europeans have a rising concern about it running on American servers and we are taking a independence course. for personal usage may be ok — but for corporate needs may be not. Comment deleted
same applies to msoffice Comment deleted
MS* Comment deleted
Android, it just needs to support more Windows software Comment deleted
WTF is OSR? Comment deleted
🤷♂️ Comment deleted
Came here to ask the same question. Comment deleted
In the context of Windows, I can only remember "OEM Service Release", of which Windows 95 had a couple — the last one labeled as "Windows 95 OSR 2.5", for example. Those turned into Service Packs later. Comment deleted
Its a windows software consultancy company Comment deleted
Noname company Comment deleted
Anyway, after intervention from MS VP it got resolved Comment deleted
"Someone". "Something", to be precise. And you can't blame it because its a thing not a person Comment deleted
I don't know what the hell this OSR is and what they do, but this guy is seriously talking about respect from Microslop. 🤡 Comment deleted
Getting and processing verification emails and etc. is a task thats asks to be done by AI. Screwing it up silently during processing and ignoring such a verifications and leaving some people unverified is a bug you would expect from AI. Comment deleted
horray centralization Comment deleted
@morryrebbykh hello Comment deleted
So, how is wine doing nowadays? Comment deleted
What wrong with veracryp? Comment deleted
They were also locked put of their microslop account Comment deleted
Ms forgot this Comment deleted
Now they'll face the consequences Comment deleted
Centralized signing is bullshit in the first place, especially when it's done by the platform owners Comment deleted
ong ong bro dawg this is fucked up bad BAD! Comment deleted
Not sure if step supports nondestructive editing, I'll check it later. BTW still not a single word about what are this Linux alternatives. Comment deleted
FreeCAD, libreOffice, Google suite Comment deleted
>freecad ... Comment deleted
Don't know shit about photo editing, so idk what are the alternatives for Photoshop Comment deleted
What's up with animations in libreoffice impress?) Comment deleted
didn't use this one though Comment deleted
Also, isn't switching to google contradicts with "let's avoid corporate slop such as bindows"? Comment deleted
"Lets avoid Microslop" is the first goal Comment deleted
Also, I'm on MacOS, I already sold my soul to the corporate overlords Comment deleted
axiom of choice ("аксиома эскобара") in practice Comment deleted
it doesn't have to be this way tho, and i don't really know why would anyone lock themselves into either msoffise or gsuite. Both are bad, and not really compatible even with each other Comment deleted
lo works better than gsuite for compat with msoffice, so rejecting the former and not the latter just sounds to me like willing lock-in Comment deleted
almost as-if that discussion happened a billion times and was steered to the conclusion "oh i'm just a corpo chud fml anyhow" Comment deleted