🟠 High   ⏱ 5–30 min  Last verified: 04 June 2027
Affected versions: Windows Server 2012 R2

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

winget install fails on Windows Server 2012 R2 with a package signature verification error, blocking automated provisioning of admin tools.

Environment & Reproduction

Occurs when winget client retrieves a manifest whose installer hash or signing certificate cannot be validated against the source.

winget install --id Microsoft.PowerShell
winget source list

Root Cause Analysis

The downloaded installer was modified, signed by an untrusted CA, or the source index is stale and references an outdated hash.

Quick Triage

Inspect winget version, sources, and recent logs to locate validation failure.

winget --info
winget source update

Step-by-Step Diagnosis

Pull diagnostic logs and re-test installation with verbose output.

winget install --id Microsoft.PowerShell --verbose-logs
Get-ChildItem $env:LOCALAPPDATAPackagesMicrosoft.DesktopAppInstaller_*LocalStateDiagOutputDir
Illustrative mockup for windows-server-2012-r2 β€” terminal_or_powershell
Diagnostic output for packaging/winget-signature β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Reset the winget source, accept current source agreements, and reinstall with a trusted hash override only as a temporary measure.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

winget source reset --force
winget source update
winget install --id Microsoft.PowerShell --accept-package-agreements --accept-source-agreements
Illustrative mockup for windows-server-2012-r2 β€” error_dialog
Resolution for packaging/winget-signature β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Download MSI directly from the vendor and install via msiexec with verified signature.

msiexec /i PowerShell-7.x-win-x64.msi /qn /norestart

Verification & Acceptance Criteria

winget shows package installed and signature trust is restored without warnings.

winget list Microsoft.PowerShell
pwsh -v

Rollback Plan

Uninstall the package and pin earlier known-good version if the new release is unstable.

winget uninstall Microsoft.PowerShell

Prevention & Hardening

Cache approved installers internally and enforce signature validation through software restriction policies.

Get-AuthenticodeSignature .PowerShell-7.x-win-x64.msi

Related: SmartScreen reputation block, expired code-signing certificates, and proxy SSL inspection breaking package downloads.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn documentation for winget client, package manifests, and Windows app installer troubleshooting.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.