diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index ad940d93c..c1f0f7679 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -25,7 +25,8 @@ env:
   JAVA_VERSION: '24.0.1+9'
   OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/24.0.1/openjfx-24.0.1_windows-x64_bin-jmods.zip'
   OPENJFX_JMODS_AMD64_HASH: 'f13d17c7caf88654fc835f1b4e75a9b0f34a888eb8abef381796c0002e63b03f'
-  WINFSP_MSI: 'https://github.com/winfsp/winfsp/releases/download/v2.0/winfsp-2.0.23075.msi'
+  WINFSP_MSI: 'https://github.com/winfsp/winfsp/releases/download/v2.1/winfsp-2.1.25156.msi'
+  WINFSP_MSI_HASH: '073a70e00f77423e34bed98b86e600def93393ba5822204fac57a29324db9f7a'
   WINFSP_UNINSTALLER: 'https://github.com/cryptomator/winfsp-uninstaller/releases/latest/download/winfsp-uninstaller.exe'
 
 defaults:
@@ -312,7 +313,13 @@ jobs:
         shell: pwsh
       - name: Download WinFsp
         run: |
-          curl --output dist/win/bundle/resources/winfsp.msi -L ${{ env.WINFSP_MSI }}
+          curl --output $env:WINFSP_PATH -L ${{ env.WINFSP_MSI }}
+          $computedHash = (Get-FileHash -Path $env:WINFSP_PATH -Algorithm SHA256).Hash.ToLower()
+          if ($computedHash -ne "${{ env.WINFSP_MSI_HASH }}") {
+            throw "Checksum mismatch for $env:WINFSP_PATH (expected ${{ env.WINFSP_MSI_HASH }}, got $computedHash)."
+          }
+        env:
+          WINFSP_PATH: 'dist/win/bundle/resources/winfsp.msi'
         shell: pwsh
       - name: Download Legacy-WinFsp uninstaller
         run: |
diff --git a/dist/win/build.ps1 b/dist/win/build.ps1
index 447b5fd67..ce19ee6a8 100644
--- a/dist/win/build.ps1
+++ b/dist/win/build.ps1
@@ -208,9 +208,19 @@ if ($LASTEXITCODE -ne 0) {
  "-Dlicense.licenseMergesUrl=file:///$buildDir/../../license/merges"
 
 # download Winfsp
-$winfspMsiUrl= 'https://github.com/winfsp/winfsp/releases/download/v2.0/winfsp-2.0.23075.msi'
+$winfspMsiUrl= 'https://github.com/winfsp/winfsp/releases/download/v2.1/winfsp-2.1.25156.msi'
+$winfspMsiHash = '073A70E00F77423E34BED98B86E600DEF93393BA5822204FAC57A29324DB9F7A'
 Write-Output "Downloading ${winfspMsiUrl}..."
 Invoke-WebRequest $winfspMsiUrl -OutFile ".\bundle\resources\winfsp.msi" # redirects are followed by default
+$computedHash = $(Get-FileHash -Path '.\bundle\resources\winfsp.msi' -Algorithm SHA256).Hash
+if (! $computedHash.Equals($winfspMsiHash)) {
+	Write-Error -Category InvalidData -CategoryActivity "Data integrity check failed" -Message @"
+	Downloaded Winfsp Installer does not match stored SHA256 checksum.
+	Expected: $winfspMsiHash
+	Actual:   $computedHash
+"@
+	exit 1
+}
 
 # download legacy-winfsp uninstaller
 $winfspUninstaller= 'https://github.com/cryptomator/winfsp-uninstaller/releases/latest/download/winfsp-uninstaller.exe'