diff --git a/.gitea/workflows/build-windows.yml b/.gitea/workflows/build-windows.yml
index 7f01035cb..7ead94974 100644
--- a/.gitea/workflows/build-windows.yml
+++ b/.gitea/workflows/build-windows.yml
@@ -4,11 +4,6 @@ on:
   push:
     branches: [pro-features]
   workflow_dispatch:
-    inputs:
-      build-msi:
-        description: "Also build MSI installer"
-        type: boolean
-        default: false
 
 env:
   RUST_VERSION: "1.75"
@@ -36,7 +31,7 @@ jobs:
       - name: Verify host toolchain
         shell: pwsh
         run: |
-          $required = 'node','pwsh','git','bash','python','rustc','cargo','rustup','clang','flutter','nuget','cmake','ninja'
+          $required = 'node','pwsh','git','bash','python','rustc','cargo','rustup','clang','flutter','nuget','cmake','ninja','dotnet'
           $missing = @()
           foreach ($tool in $required) {
             $cmd = Get-Command $tool -ErrorAction SilentlyContinue
@@ -146,19 +141,64 @@ jobs:
           mv ./target/release/rustdesk-portable-packer.exe "./SignOutput/rustdesk-${VERSION}-x86_64.exe"
 
       - name: Build MSI installer
-        if: ${{ inputs.build-msi == true }}
         shell: pwsh
         run: |
           Push-Location .\res\msi
           python preprocess.py --arp -d ..\..\rustdesk
-          # vswhere finds VS install; use it to locate MSBuild
+
+          # Resolve MSBuild from the installed VS Build Tools.
           $vswhere = "${env:ProgramFiles(x86)}\Microsoft Visual Studio\Installer\vswhere.exe"
-          $msbuild = & $vswhere -latest -requires Microsoft.Component.MSBuild -find "MSBuild\**\Bin\MSBuild.exe" | Select-Object -First 1
+          $msbuild = & $vswhere -latest -requires Microsoft.Component.MSBuild `
+              -find "MSBuild\**\Bin\MSBuild.exe" | Select-Object -First 1
+          if (-not $msbuild) { throw "MSBuild not found via vswhere" }
+
+          # Two-stage restore covers both project flavors in this solution:
+          #   - CustomActions.vcxproj uses old-style packages.config -> nuget restore
+          #   - Package.wixproj is SDK-style PackageReference -> msbuild -t:Restore
           nuget restore msi.sln
+          & $msbuild msi.sln -t:Restore -p:Configuration=Release -p:Platform=x64
+          if ($LASTEXITCODE -ne 0) { throw "MSBuild restore failed ($LASTEXITCODE)" }
+
           & $msbuild msi.sln -p:Configuration=Release -p:Platform=x64 /p:TargetVersion=Windows10
+          if ($LASTEXITCODE -ne 0) { throw "MSBuild build failed ($LASTEXITCODE)" }
+
           Move-Item -Force .\Package\bin\x64\Release\en-us\Package.msi "..\..\SignOutput\rustdesk-${env:VERSION}-x86_64.msi"
           Pop-Location
 
+      - name: Report signing status of build artifacts
+        shell: pwsh
+        run: |
+          $artifacts = Get-ChildItem .\SignOutput -Include *.exe,*.msi -File
+          if (-not $artifacts) {
+            Write-Warning "No artifacts found in SignOutput\"
+            return
+          }
+
+          $unsigned = @()
+          foreach ($f in $artifacts) {
+            $sig = Get-AuthenticodeSignature -FilePath $f.FullName
+            $size = '{0,8:N0}' -f $f.Length
+            switch ($sig.Status) {
+              'Valid' {
+                Write-Host ("[ SIGNED ] {0}  ({1} bytes) signed by: {2}" -f $f.Name, $size, $sig.SignerCertificate.Subject)
+              }
+              'NotSigned' {
+                Write-Host ("[UNSIGNED] {0}  ({1} bytes)" -f $f.Name, $size)
+                $unsigned += $f.Name
+              }
+              default {
+                Write-Host ("[ {0,-7} ] {1}  ({2} bytes) -- {3}" -f $sig.Status, $f.Name, $size, $sig.StatusMessage)
+                $unsigned += $f.Name
+              }
+            }
+          }
+
+          if ($unsigned.Count -gt 0) {
+            # Render a Gitea/GHA-style annotation so it shows up prominently in the run summary.
+            $list = $unsigned -join ', '
+            Write-Host "::warning title=Unsigned artifacts::$list -- SmartScreen will warn end users. Wire up signing before distributing."
+          }
+
       - name: Upload artifacts
         uses: actions/upload-artifact@v3
         with:
diff --git a/ci/runners/windows/provision.ps1 b/ci/runners/windows/provision.ps1
index b3e9c8b20..a9004c1ee 100644
--- a/ci/runners/windows/provision.ps1
+++ b/ci/runners/windows/provision.ps1
@@ -47,14 +47,18 @@ if (-not (Get-Command choco -ErrorAction SilentlyContinue)) {
 }
 
 Write-Host '==> Installing base packages'
-# nodejs-lts: act_runner needs node to execute JavaScript actions.
-# powershell-core: workflows commonly use `shell: pwsh` (PS 7), not the OS's PS 5.1.
-choco install -y --no-progress git python311 nuget.commandline 7zip cmake ninja nodejs-lts powershell-core
+# nodejs-lts:     act_runner needs node to execute JavaScript actions.
+# powershell-core: workflows use `shell: pwsh` (PS 7), not the OS's PS 5.1.
+# dotnet-sdk:     required for WiX 4 SDK-style projects (.wixproj) used by the MSI build.
+choco install -y --no-progress `
+    git python311 nuget.commandline 7zip cmake ninja `
+    nodejs-lts powershell-core dotnet-sdk
 Add-MachinePath 'C:\Program Files\Git\cmd'
 Add-MachinePath 'C:\Python311'
 Add-MachinePath 'C:\Python311\Scripts'
 Add-MachinePath 'C:\Program Files\nodejs'
 Add-MachinePath 'C:\Program Files\PowerShell\7'
+Add-MachinePath 'C:\Program Files\dotnet'
 
 # --- 2. Visual Studio 2022 Build Tools (MSVC v143 + Win10 SDK) ---
 $vsInstaller = "$env:ProgramFiles(x86)\Microsoft Visual Studio\Installer\vswhere.exe"