A restaurant kiosk in Portugal ground to an unplanned halt on July 1, 2026, when Windows threw up a full-screen security warning refusing to run WinRestKioskWPF.exe. The error, photographed by a diner, declared that Windows “cannot verify the publisher of this app” because the executable lacked a valid digital signature. For the restaurant, it meant no orders could be placed through the self-service terminal until staff intervened.

The incident spotlights the brittle intersection of Windows’ hardened security policies and the real-world reliability demands of locked-down kiosk devices. It also raises uncomfortable questions about how a production application ended up unsigned—or signed with an untrusted certificate—on a machine supposedly configured to trust nothing except explicitly approved publishers.

What Happened: The On-Screen Warning

The photograph shows a classic Windows UAC-style dialog, though rendered in the constrained kiosk environment. The message reads: “Windows cannot verify the publisher of this app. An administrator should check the file to determine if it’s safe to run.” The file name is prominently displayed: WinRestKioskWPF.exe. Below, the buttons “Run” and “Don’t Run” are visible, but the kiosk’s touch interface gave no obvious path to proceed without elevated privileges.

A diner captured the scene and shared it on a Portuguese tech forum, where commenters quickly identified the executable as part of a popular restaurant-management suite often deployed on Windows-based kiosks. The filename suggests a WPF (Windows Presentation Foundation) application handling the restaurant’s ordering front-end. The “Kiosk” suffix indicates it was purpose-built for the locked-down kiosk mode that Windows offers.

Why Windows Blocks Unsigned Apps

Windows’ code-signing checks are not a new feature. Since Windows 8, SmartScreen and later Windows Defender Application Control (WDAC) have enforced varying levels of signature validation. In kiosk mode—especially when configured via Assigned Access or a custom Shell Launcher—administrators normally go further: they whitelist specific signed binaries using AppLocker or WDAC policies. If the policy requires all executables to be signed by a trusted publisher and the certificate of WinRestKioskWPF.exe is missing, expired, or from an untrusted root, Windows will block execution.

Digital signatures serve two main purposes. They verify the identity of the software publisher, and they assure that the code hasn’t been tampered with since signing. For a restaurant kiosk running financial transactions and handling customer data, that integrity guarantee is critical. But when the validation fails on a production device that has been running for months, the root cause is usually one of three things: a certificate that expired silently, a signing chain that broke because of an intermediate CA revocation, or a policy change on the device that inadvertently tightened signature requirements.

The Likely Culprit: Certificate Expiration or Chain Breakage

The most probable explanation is a code-signing certificate that expired just before July 1, 2026. Many software vendors schedule annual or biennial certificate renewals, and a missed renewal could leave a binary unsigned in the eyes of Windows. While the file might still bear a timestamp that proves it was signed while the certificate was valid, some AppLocker or WDAC policies strictly require a currently valid certificate at runtime, ignoring timestamping. Microsoft’s documentation notes that AppLocker can be configured to check the certificate validity at the time of evaluation, not just at signing time.

Another possibility is a change in the CA trust list. Windows updates occasionally deprecate root certificates. If the certificate that signed WinRestKioskWPF.exe chained up to a de-trusted root, all previously trusted signatures become invalid overnight. This happened in 2021 when the “DST Root CA X3” expiry broke countless older systems. A similar event in 2026 could have caught the restaurant kiosk off guard.

A third, less likely scenario is that the executable was genuinely unsigned—perhaps because a build script omitted the signing step—and the kiosk previously ran it only because AppLocker or WDAC policy had not been enforced. An automated policy push or a Windows update that enabled stricter default enforcement could then surface the problem.

The Kiosk Mode Angle

Windows kiosk mode is designed to turn a PC into a single-purpose appliance. It runs a single Universal Windows Platform (UWP) app or a Classic Windows application above the lock screen, hiding all other system UI. When configured with Assigned Access, the device boots directly into the kiosk application as soon as a user logs in. If that application fails to launch, the typical fallback is a blank screen or an error dialog that, because of the locked-down shell, cannot be dismissed.

What the restaurant’s photo shows is precisely that failure mode: the unsigned-application warning presents a “Don’t Run” button (which likely does nothing or kicks the user back to the login screen) and a “Run” button that is grayed out or inaccessible without administrator credentials. The kiosk operator, in this case restaurant staff, probably had no way to bypass the warning without calling IT support.

This design tension is well-known among managed-kiosk deployers. To avoid it, best practices include proactive certificate monitoring, using Extended Validation (EV) code-signing certificates (which enjoy higher trust in SmartScreen), and testing policy changes in a sandbox before rolling them out to production. Yet small and medium businesses often lack the IT maturity to stay ahead of these curveballs.

Past Incidents of Code-Signing Kerfuffles

The restaurant kiosk is far from an isolated case. In 2022, a widely used dental practice management software broke across hundreds of offices when its code-signing certificate expired over a weekend. Dentists arrived Monday morning to find their check-in kiosks displaying the same “cannot verify publisher” message. The vendor rushed an emergency patch, but clinics lost hours of productivity.

In 2023, a European railway’s ticket kiosks suffered a four-hour outage after a routine Windows update revoked trust in the certificate used by the kiosk’s passenger-info module. Passengers could not purchase tickets from the machines, and staff had to process sales manually. The operator later revealed that the software vendor had used a certificate from a CA that Microsoft removed from the trusted root program for non-compliance.

The common thread: enterprises and small businesses alike depend on a chain of trust that they do not fully control. A single missed renewal or a CA decision can cascade into operational paralysis.

Mitigations and the Road Ahead

Microsoft offers tools to prevent this class of failure, but they require proactive adoption. Certificate pinning—tying an app to a specific public key—can provide more robust assurance than relying on chain validation. AppLocker’s publisher rule can be set to “Allow any version” while still checking the signature, but administrators must understand the difference between a rule that validates the certificate and one that checks for any signature at all.

WDAC on Windows 11 and Windows 10 21H2+ supports supplemental policies that can be updated via Intune or Group Policy without a reboot. This allows a rapid response when a certificate needs to be replaced. However, many kiosk deployments run older Windows 10 LTSC editions that lack the latest policy management features.

For the restaurant in Portugal, the fix was likely straightforward: an IT technician needed physical or remote access to boot the kiosk in safe mode, disable the AppLocker service (or the WDAC policy), and then replace the executable with a correctly signed version. But the downtime and public embarrassment underscore the fragility of relying on static signing states without continuous monitoring.

The incident may also nudge point-of-sale software vendors toward adopting auto-renewing certificate services such as Microsoft’s Azure Code Signing or third-party certificate lifecycle management tools. As of 2026, such services can automate renewal and timestamping, dramatically reducing the risk of surprise expirations.

What Users and Businesses Should Do

For restaurant chains and retailers deploying Windows kiosks, the lesson is clear. First, map every binary that your kiosk runs and document their certificate expiration dates. Set calendar reminders 30 days before expiry. Second, use WDAC audit mode to simulate enforcement on a test device; this logs violations without blocking, allowing you to catch signing gaps before they hit production. Third, implement a streamlined update mechanism—whether through a mobile device management (MDM) solution or a local admin portal—so that a signed hotfix can be pushed without visiting each terminal.

For independent restaurateurs who bought an off-the-shelf kiosk system, the burden falls on the vendor. Before purchasing, ask how the vendor manages code signing and what happens if a certificate expires. If the answer is vague, walk away. The Portuguese incident is a stark reminder that the sticker price of a kiosk can be dwarfed by the cost of a day’s lost revenue when the screen turns into an immovable warning dialog.

As Windows continues to tighten its default security posture with every major update, the margin for error narrows. Code signing is no longer a nice-to-have; it is a hard requirement for any application that wants to run without user interaction in a kiosk or embedded setting. The days of clicking “Run anyway” are fading fast, and that shift demands a corresponding maturity in software supply-chain practices.

Looking Forward

The photograph from Portugal will likely join the growing gallery of public Windows kiosk failures—airport flight boards stuck in boot loops, digital signage showing BSODs, and now restaurant ordering terminals bricked by a missing signature. Each one pushes the industry toward more resilient design. Expect Microsoft to soon require Hardware-enforced Stack Protection or other mitigations for kiosk apps, further raising the compliance bar.

For now, the lesson is both technical and human: trust, once broken, is hard to rebuild—especially when a hungry customer is tapping on a screen that refuses to take their order.