global: raise min windows version to 10

zx2c4 · zx2c4 · commit ab1ee1f63247 · 2026-03-21T11:38:06.000+01:00
Since we're also bumping the PE subsystem header to 10.0, this means we need a _load_config with the proper flags. So there's some work to be done here. This also means bumping LLVM and Go builds. In the case of Go, the patch is still pending: https://go-review.googlesource.com/c/go/+/756680 , so it's a custom build. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
diff --git a/Makefile b/Makefile
@@ -25,7 +25,7 @@ define download =
 	if ! mv $$@.unverified $$@; then rm -f $$@.unverified; exit 1; fi
 endef
 
-$(eval $(call download,go.tar.gz,https://go.dev/dl/go1.26.1.linux-amd64.tar.gz,031f088e5d955bab8657ede27ad4e3bc5b7c1ba281f05f245bcc304f327c987a))
+$(eval $(call download,go.tar.gz,https://download.wireguard.com/windows-toolchain/distfiles/go1.26.1-linux_amd64_2026-03-21.tar.gz,47eaffc1fe0a495051b0c894858c567c00fe17cdfda04cbd1b5b5fc8b516e0b1))
 $(eval $(call download,wireguard-nt.zip,https://download.wireguard.com/wireguard-nt/wireguard-nt-0.10.1.zip,772c0b1463d8d2212716f43f06f4594d880dea4f735165bd68e388fc41b81605))
 
 .deps/go/prepared: .distfiles/go.tar.gz
diff --git a/build.bat b/build.bat
@@ -4,7 +4,7 @@ rem Copyright (C) 2019-2026 WireGuard LLC. All Rights Reserved.
 
 setlocal enabledelayedexpansion
 set BUILDDIR=%~dp0
-set PATH=%BUILDDIR%.deps\llvm-mingw\bin;%BUILDDIR%.deps\go\bin;%BUILDDIR%.deps;%PATH%
+set PATH=%BUILDDIR%.deps\bin;%BUILDDIR%.deps;%PATH%
 set PATHEXT=.exe
 cd /d %BUILDDIR% || exit /b 1
 
@@ -13,14 +13,14 @@ if exist .deps\prepared goto :render
 	rmdir /s /q .deps 2> NUL
 	mkdir .deps || goto :error
 	cd .deps || goto :error
-	call :download go.zip https://go.dev/dl/go1.26.1.windows-amd64.zip 9b68112c913f45b7aebbf13c036721264bbba7e03a642f8f7490c561eebd1ecc || goto :error
-	rem Mirror of https://github.com/mstorsjo/llvm-mingw/releases/download/20201020/llvm-mingw-20201020-msvcrt-x86_64.zip
-	call :download llvm-mingw-msvcrt.zip https://download.wireguard.com/windows-toolchain/distfiles/llvm-mingw-20201020-msvcrt-x86_64.zip 2e46593245090df96d15e360e092f0b62b97e93866e0162dca7f93b16722b844 || goto :error
+	call :download go.zip https://download.wireguard.com/windows-toolchain/distfiles/go1.26.1-windows_amd64_2026-03-21.zip 5dee0cfdad62aaa838937ce816daa6614c2648435ea867c98aec9ef3d1dd0c84 "--strip-components 1" || goto :error
+	rem Mirror of https://github.com/mstorsjo/llvm-mingw/releases/download/20260311/llvm-mingw-20260311-ucrt-x86_64.zip
+	call :download llvm-mingw-ucrt.zip https://download.wireguard.com/windows-toolchain/distfiles/llvm-mingw-20260311-ucrt-x86_64.zip dd4c67d98959479c7be2fb6709ba074475991590848cb9d0eb2620be06b182e1 "--strip-components 1" || goto :error
 	rem Mirror of https://imagemagick.org/download/binaries/ImageMagick-7.0.8-42-portable-Q16-x64.zip
 	call :download imagemagick.zip https://download.wireguard.com/windows-toolchain/distfiles/ImageMagick-7.0.8-42-portable-Q16-x64.zip 584e069f56456ce7dde40220948ff9568ac810688c892c5dfb7f6db902aa05aa "convert.exe colors.xml delegates.xml" || goto :error
 	rem Mirror of https://sourceforge.net/projects/ezwinports/files/make-4.2.1-without-guile-w32-bin.zip
 	call :download make.zip https://download.wireguard.com/windows-toolchain/distfiles/make-4.2.1-without-guile-w32-bin.zip 30641be9602712be76212b99df7209f4f8f518ba764cf564262bc9d6e4047cc7 "--strip-components 1 bin" || goto :error
-	call :download wireguard-tools.zip https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-1ee37b8e4833a25efe6f1fc0d5bdcb476148f4ba.zip ed0739bc3e5a7021a59d4cc4fc63e5fb60a0cb8628d30515a747bfbdcf1fdb0a "--exclude wg-quick --strip-components 1" || goto :error
+	call :download wireguard-tools.zip https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-a92d534395227ded1595c25ab250266ab18e377a.zip 9fad2fe0bf3303a6b9e970096ecdfbaea8cb73cd260d6bdb1718a584e888bfff "--exclude wg-quick --strip-components 1" || goto :error
 	call :download wireguard-nt.zip https://download.wireguard.com/wireguard-nt/wireguard-nt-0.10.1.zip 772c0b1463d8d2212716f43f06f4594d880dea4f735165bd68e388fc41b81605 || goto :error
 	copy /y NUL prepared > NUL || goto :error
 	cd .. || goto :error
@@ -36,7 +36,7 @@ if exist .deps\prepared goto :render
 	set GOOS=windows
 	set GOARM=7
 	set GOPATH=%BUILDDIR%.deps\gopath
-	set GOROOT=%BUILDDIR%.deps\go
+	set GOROOT=%BUILDDIR%.deps
 	if "%GoGenerate%"=="yes" (
 		echo [+] Regenerating files
 		go generate ./... || exit /b 1
diff --git a/embeddable-dll-service/build.bat b/embeddable-dll-service/build.bat
@@ -4,7 +4,7 @@ rem Copyright (C) 2019-2026 WireGuard LLC. All Rights Reserved.
 
 setlocal
 set BUILDDIR=%~dp0
-set PATH=%BUILDDIR%..\.deps\llvm-mingw\bin;%BUILDDIR%..\.deps\go\bin;%PATH%
+set PATH=%BUILDDIR%..\.deps\bin;%PATH%
 set PATHEXT=.exe
 cd /d %BUILDDIR% || exit /b 1
 
@@ -16,9 +16,9 @@ if exist ..\.deps\prepared goto :build
 	set GOOS=windows
 	set GOARM=7
 	set GOPATH=%BUILDDIR%..\.deps\gopath
-	set GOROOT=%BUILDDIR%..\.deps\go
+	set GOROOT=%BUILDDIR%..\.deps
 	set CGO_ENABLED=1
-	set CGO_CFLAGS=-O3 -Wall -Wno-unused-function -Wno-switch -std=gnu11 -DWINVER=0x0601
+	set CGO_CFLAGS=-O3 -Wall -Wno-unused-function -Wno-switch -std=gnu11 -DWINVER=0x0A00
 	call :build_plat x86 i686 386 || goto :error
 	call :build_plat amd64 x86_64 amd64 || goto :error
 	call :build_plat arm64 aarch64 arm64 || goto :error
diff --git a/embeddable-dll-service/csharp/DemoUI/app.manifest b/embeddable-dll-service/csharp/DemoUI/app.manifest
@@ -11,18 +11,8 @@
 
   <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
     <application>
-      <!-- Windows 7 -->
-      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
-
-      <!-- Windows 8 -->
-      <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />
-
-      <!-- Windows 8.1 -->
-      <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />
-
-      <!-- Windows 10 -->
+      <!-- Windows 10 and 11 -->
       <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />
-
     </application>
   </compatibility>
 
diff --git a/installer/build.bat b/installer/build.bat
@@ -32,10 +32,10 @@ if exist .deps\prepared goto :build
 
 :build
 	if exist ..\sign.bat call ..\sign.bat
-	set PATH=%BUILDDIR%..\.deps\llvm-mingw\bin;%PATH%
+	set PATH=%BUILDDIR%..\.deps\bin;%PATH%
 	set WIX=%BUILDDIR%.deps\wix\
-	set CFLAGS=-O3 -Wall -std=gnu11 -DWINVER=0x0601 -D_WIN32_WINNT=0x0601 -municode -DUNICODE -D_UNICODE -DNDEBUG
-	set LDFLAGS=-shared -s -Wl,--kill-at -Wl,--major-os-version=6 -Wl,--minor-os-version=1 -Wl,--major-subsystem-version=6 -Wl,--minor-subsystem-version=1 -Wl,--tsaware -Wl,--dynamicbase -Wl,--nxcompat -Wl,--export-all-symbols
+	set CFLAGS=-O3 -Wall -std=gnu11 -DWINVER=0x0A00 -D_WIN32_WINNT=0x0A00 -municode -DUNICODE -D_UNICODE -DNDEBUG
+	set LDFLAGS=-shared -s -Wl,--kill-at -Wl,--major-os-version=10 -Wl,--minor-os-version=0 -Wl,--major-subsystem-version=10 -Wl,--minor-subsystem-version=0 -Wl,--tsaware -Wl,--dynamicbase -Wl,--nxcompat -Wl,--export-all-symbols
 	set LDLIBS=-lmsi -lole32 -lshlwapi -lshell32 -luuid -lntdll
 	call :msi x86 i686 x86 || goto :error
 	call :msi amd64 x86_64 x64 || goto :error
diff --git a/installer/customactions.c b/installer/customactions.c
@@ -14,6 +14,22 @@
 #include <stdbool.h>
 #include <tchar.h>
 
+/*
+ * This here is a bit of a hack. We're compiling with subsystem=10.0 in the PE
+ * header, and so the Windows loader expects to see either
+ * _load_config.SecurityCookie set to the initial magic value, or for
+ * IMAGE_GUARD_SECURITY_COOKIE_UNUSED to be set. libssp doesn't use
+ * SecurityCookie anyway; SecurityCookie is for MSVC's /GS protection. So it
+ * seems like the proper thing to do is signal to the OS that it doesn't need
+ * to initialize SecurityCookie.
+ */
+
+#define IMAGE_GUARD_SECURITY_COOKIE_UNUSED 0x00000800
+const IMAGE_LOAD_CONFIG_DIRECTORY _load_config_used = {
+	.Size = sizeof(_load_config_used),
+	.GuardFlags = IMAGE_GUARD_SECURITY_COOKIE_UNUSED
+};
+
 #define MANAGER_SERVICE_NAME TEXT("WireGuardManager")
 #define TUNNEL_SERVICE_PREFIX TEXT("WireGuardTunnel$")
 
@@ -82,6 +98,23 @@ static void log_errorf(MSIHANDLE installer, enum log_level level, DWORD error_co
 	LocalFree(system_message);
 }
 
+extern NTAPI __declspec(dllimport) void RtlGetNtVersionNumbers(DWORD *MajorVersion, DWORD *MinorVersion, DWORD *BuildNumber);
+
+__declspec(dllexport) UINT __stdcall CheckWinVer(MSIHANDLE installer)
+{
+	bool is_com_initialized;
+	DWORD maj;
+
+	RtlGetNtVersionNumbers(&maj, NULL, NULL);
+	if (maj >= 10)
+		return ERROR_SUCCESS;
+	is_com_initialized = SUCCEEDED(CoInitialize(NULL));
+	log_messagef(installer, LOG_LEVEL_MSIERR, TEXT("WireGuard requires Windows ≥10."));
+	if (is_com_initialized)
+		CoUninitialize();
+	return ERROR_INSTALL_FAILURE;
+}
+
 __declspec(dllexport) UINT __stdcall CheckWow64(MSIHANDLE installer)
 {
 	UINT ret = ERROR_SUCCESS;
diff --git a/installer/fetcher/Makefile b/installer/fetcher/Makefile
@@ -6,12 +6,12 @@ CFLAGS ?= -Os
 DEPLOYMENT_HOST ?= winvm
 DEPLOYMENT_PATH ?= Desktop
 
-CFLAGS += -std=gnu11 -DWINVER=0x0601 -D_WIN32_WINNT=0x0601 -flto
+CFLAGS += -std=gnu11 -DWINVER=0x0A00 -D_WIN32_WINNT=0x0A00 -flto
 CFLAGS += -Wall -Wextra
 CFLAGS += -MMD -MP
 LDLIBS += -lkernel32 -lwinhttp -lntdll -lshlwapi -lmsi -lcomctl32 -luser32 -lshell32 -lwintrust -lbcrypt
 LDFLAGS += -s -flto -Wl,--dynamicbase -Wl,--nxcompat -Wl,--tsaware -mwindows
-LDFLAGS += -Wl,--major-os-version=6 -Wl,--minor-os-version=1 -Wl,--major-subsystem-version=6 -Wl,--minor-subsystem-version=1
+LDFLAGS += -Wl,--major-os-version=10 -Wl,--minor-os-version=0 -Wl,--major-subsystem-version=10 -Wl,--minor-subsystem-version=0
 # The use of -Wl,/delayload: here implies we're using llvm-mingw
 LDFLAGS += -Wl,/delayload:winhttp.dll -Wl,/delayload:msi.dll -Wl,/delayload:wintrust.dll -Wl,/delayload:advapi32.dll -Wl,/delayload:shell32.dll -Wl,/delayload:shlwapi.dll -Wl,/delayload:gdi32.dll -Wl,/delayload:user32.dll -Wl,/delayload:comctl32.dll -Wl,/delayload:bcrypt.dll
 TARGET := wireguard-installer.exe
diff --git a/installer/fetcher/fetcher.c b/installer/fetcher/fetcher.c
@@ -111,15 +111,11 @@ static DWORD __stdcall download_thread(void *param)
 		goto out;
 
 	set_status(progress, "connecting to server");
-	session = WinHttpOpen(L(useragent()), is_win7() ? WINHTTP_ACCESS_TYPE_DEFAULT_PROXY : WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY, NULL, NULL, 0);
+	session = WinHttpOpen(L(useragent()), WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY, NULL, NULL, 0);
 	if (!session)
 		goto out;
-	WinHttpSetOption(session, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, &enable_http2, sizeof(enable_http2)); // Don't check return value, in case of old Windows
-	if (is_win8dotzero_or_below()) {
-		DWORD enable_tls12 = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
-		if (!WinHttpSetOption(session, WINHTTP_OPTION_SECURE_PROTOCOLS, &enable_tls12, sizeof(enable_tls12)))
-			goto out;
-	}
+	if (!WinHttpSetOption(session, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, &enable_http2, sizeof(enable_http2)))
+		goto out;
 
 	connection = WinHttpConnect(session, L(server), port, 0);
 	if (!connection)
diff --git a/installer/fetcher/load_config.c b/installer/fetcher/load_config.c
@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2020-2026 Jason A. Donenfeld. All Rights Reserved.
+ *
+ * This here is a bit of a hack. We're compiling with subsystem=10.0 in the PE
+ * header, and so the Windows loader expects to see either
+ * _load_config.SecurityCookie set to the initial magic value, or for
+ * IMAGE_GUARD_SECURITY_COOKIE_UNUSED to be set. libssp doesn't use
+ * SecurityCookie anyway; SecurityCookie is for MSVC's /GS protection. So it
+ * seems like the proper thing to do is signal to the OS that it doesn't need
+ * to initialize SecurityCookie.
+ */
+
+#include <windows.h>
+
+#define IMAGE_GUARD_SECURITY_COOKIE_UNUSED 0x00000800
+const IMAGE_LOAD_CONFIG_DIRECTORY _load_config_used = {
+	.Size = sizeof(_load_config_used),
+	.GuardFlags = IMAGE_GUARD_SECURITY_COOKIE_UNUSED
+};
diff --git a/installer/fetcher/manifest.xml b/installer/fetcher/manifest.xml
@@ -3,14 +3,8 @@
     <assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="wireguard-installer" type="win32" />
     <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
         <application>
-            <!-- Windows 10 -->
+            <!-- Windows 10 and 11 -->
             <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />
-            <!-- Windows 8.1 -->
-            <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />
-            <!-- Windows 8 -->
-            <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />
-            <!-- Windows 7 -->
-            <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
         </application>
     </compatibility>
     <dependency>
diff --git a/installer/fetcher/systeminfo.c b/installer/fetcher/systeminfo.c
@@ -58,17 +58,3 @@ const char *useragent(void)
 	_snprintf_s(useragent, sizeof(useragent), _TRUNCATE, "WireGuard-Fetcher/" VERSION_STR " (Windows %lu.%lu.%lu; %s)", maj, min, build & 0xffff, architecture());
 	return useragent;
 }
-
-bool is_win7(void)
-{
-	DWORD maj, min, build;
-	RtlGetNtVersionNumbers(&maj, &min, &build);
-	return maj == 6 && min == 1;
-}
-
-bool is_win8dotzero_or_below(void)
-{
-	DWORD maj, min, build;
-	RtlGetNtVersionNumbers(&maj, &min, &build);
-	return maj == 6 && min <= 2;
-}
diff --git a/installer/fetcher/systeminfo.h b/installer/fetcher/systeminfo.h
@@ -10,7 +10,5 @@
 
 const char *architecture(void);
 const char *useragent(void);
-bool is_win7(void);
-bool is_win8dotzero_or_below(void);
 
 #endif
diff --git a/installer/wireguard.wxs b/installer/wireguard.wxs
@@ -93,6 +93,14 @@
 			<ComponentGroupRef Id="WireGuardComponents" />
 		</Feature>
 
+		<!--
+			Abort early if running under old Windows
+		-->
+		<CustomAction Id="CheckWinVer" BinaryKey="customactions.dll" DllEntry="CheckWinVer" />
+		<InstallExecuteSequence>
+			<Custom Action="CheckWinVer" After="FindRelatedProducts">NOT REMOVE</Custom>
+		</InstallExecuteSequence>
+
 		<!--
 			Abort early if running under Wow64
 		-->
diff --git a/manager/tunneltracker.go b/manager/tunneltracker.go
@@ -6,7 +6,6 @@
 package manager
 
 import (
-	"errors"
 	"fmt"
 	"log"
 	"runtime"
@@ -115,63 +114,19 @@ func trackService(service *mgr.Service, callback func(status uint32) bool) error
 	state := &serviceSubscriptionState{service: service, cb: callback}
 	state.done.Add(1)
 	err := windows.SubscribeServiceChangeNotifications(service.Handle, windows.SC_EVENT_STATUS_CHANGE, serviceSubscriptionCallbackPtr, uintptr(unsafe.Pointer(state)), &subscription)
-	if err == nil {
-		defer windows.UnsubscribeServiceChangeNotifications(subscription)
-		status, err := service.Query()
-		if err == nil {
-			if callback(svcStateToNotifyState(uint32(status.State))) {
-				return nil
-			}
-		}
-		state.done.Wait()
-		runtime.KeepAlive(state.cb)
-		return nil
-	}
-	if !errors.Is(err, windows.ERROR_PROC_NOT_FOUND) {
+	if err != nil {
 		return err
 	}
-
-	// TODO: Below this line is Windows 7 compatibility code, which hopefully we can delete at some point.
-
-	runtime.LockOSThread()
-	// This line would be fitting but is intentionally commented out:
-	//
-	//     defer runtime.UnlockOSThread()
-	//
-	// The reason is that NotifyServiceStatusChange used queued APC, which winds up messing
-	// with the thread local context, which in turn appears to corrupt Go's own usage of TLS,
-	// leading to crashes sometime later (usually in runtime_unlock()) when the thread is recycled.
-
-	const serviceNotifications = windows.SERVICE_NOTIFY_RUNNING | windows.SERVICE_NOTIFY_START_PENDING | windows.SERVICE_NOTIFY_STOP_PENDING | windows.SERVICE_NOTIFY_STOPPED | windows.SERVICE_NOTIFY_DELETE_PENDING
-	notifier := &windows.SERVICE_NOTIFY{
-		Version:        windows.SERVICE_NOTIFY_STATUS_CHANGE,
-		NotifyCallback: serviceTrackerCallbackPtr,
-	}
-	for {
-		err := windows.NotifyServiceStatusChange(service.Handle, serviceNotifications, notifier)
-		switch err {
-		case nil:
-			for {
-				if windows.SleepEx(uint32(time.Second*3/time.Millisecond), true) == windows.WAIT_IO_COMPLETION {
-					break
-				} else if callback(0) {
-					return nil
-				}
-			}
-		case windows.ERROR_SERVICE_MARKED_FOR_DELETE:
-			// Should be SERVICE_NOTIFY_DELETE_PENDING, but actually, we must release the handle and return here; otherwise it never deletes.
-			if callback(windows.SERVICE_NOTIFY_DELETED) {
-				return nil
-			}
-		case windows.ERROR_SERVICE_NOTIFY_CLIENT_LAGGING:
-			continue
-		default:
-			return err
-		}
-		if callback(svcStateToNotifyState(notifier.ServiceStatus.CurrentState)) {
+	defer windows.UnsubscribeServiceChangeNotifications(subscription)
+	status, err := service.Query()
+	if err == nil {
+		if callback(svcStateToNotifyState(uint32(status.State))) {
 			return nil
 		}
 	}
+	state.done.Wait()
+	runtime.KeepAlive(state.cb)
+	return nil
 }
 
 func trackTunnelService(tunnelName string, service *mgr.Service) {
@@ -305,39 +260,11 @@ func watchNewTunnelServices() error {
 	}
 	var subscription uintptr
 	err = windows.SubscribeServiceChangeNotifications(m.Handle, windows.SC_EVENT_DATABASE_CHANGE, servicesSubscriptionWatcherCallbackPtr, 0, &subscription)
-	if err == nil {
-		// We probably could do:
-		//     defer windows.UnsubscribeServiceChangeNotifications(subscription)
-		// and then terminate after some point, but instead we just let this go forever; it's process-lived.
-		return trackExistingTunnels()
-	}
-	if !errors.Is(err, windows.ERROR_PROC_NOT_FOUND) {
+	if err != nil {
 		return err
 	}
-
-	// TODO: Below this line is Windows 7 compatibility code, which hopefully we can delete at some point.
-	go func() {
-		runtime.LockOSThread()
-		notifier := &windows.SERVICE_NOTIFY{
-			Version:        windows.SERVICE_NOTIFY_STATUS_CHANGE,
-			NotifyCallback: serviceTrackerCallbackPtr,
-		}
-		for {
-			err := windows.NotifyServiceStatusChange(m.Handle, windows.SERVICE_NOTIFY_CREATED, notifier)
-			if err == nil {
-				windows.SleepEx(windows.INFINITE, true)
-				if notifier.ServiceNames != nil {
-					windows.LocalFree(windows.Handle(unsafe.Pointer(notifier.ServiceNames)))
-					notifier.ServiceNames = nil
-				}
-				trackExistingTunnels()
-			} else if err == windows.ERROR_SERVICE_NOTIFY_CLIENT_LAGGING {
-				continue
-			} else {
-				time.Sleep(time.Second * 3)
-				trackExistingTunnels()
-			}
-		}
-	}()
+	// We probably could do:
+	//     defer windows.UnsubscribeServiceChangeNotifications(subscription)
+	// and then terminate after some point, but instead we just let this go forever; it's process-lived.
 	return trackExistingTunnels()
 }
diff --git a/manifest.xml b/manifest.xml
@@ -3,14 +3,8 @@
     <assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="wireguard" type="win32" />
     <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
         <application>
-            <!-- Windows 10 -->
+            <!-- Windows 10 and 11 -->
             <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />
-            <!-- Windows 8.1 -->
-            <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />
-            <!-- Windows 8 -->
-            <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />
-            <!-- Windows 7 -->
-            <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
         </application>
     </compatibility>
     <dependency>
diff --git a/services/boot.go b/services/boot.go
diff --git a/tunnel/firewall/rules.go b/tunnel/firewall/rules.go
diff --git a/updater/winhttp/winhttp.go b/updater/winhttp/winhttp.go
