diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml
index a574a28f01..d47b3645e5 100644
--- a/.github/workflows/release-windows.yml
+++ b/.github/workflows/release-windows.yml
@@ -100,21 +100,6 @@ jobs:
       with:
         arch: ${{ matrix.host }}
 
-    - name: Import code signing certificate
-      shell: powershell
-      # If this is run on a fork, there may not be a certificate set up - continue in this case
-      continue-on-error: true
-      run: |
-        $tempFile = [System.IO.Path]::GetTempFileName()
-        $bytes = [System.Convert]::FromBase64String($env:WINDOWS_CERTIFICATE_P12)
-        [IO.File]::WriteAllBytes($tempFile, $bytes)
-        $pwd = ConvertTo-SecureString $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force
-        Import-PfxCertificate -FilePath $tempFile -CertStoreLocation Cert:\CurrentUser\My -Password $pwd
-        Remove-Item $tempFile
-      env:
-        WINDOWS_CERTIFICATE_P12: ${{ secrets.WINDOWS_CERTIFICATE_P12 }}
-        WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
-
     - name: Build (with installer)
       if: inputs.is_tag == 'true'
       shell: bash
@@ -131,7 +116,6 @@ jobs:
           -DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
           -DCMAKE_BUILD_TYPE=RelWithDebInfo \
           -DOPTION_SURVEY_KEY=${{ inputs.survey_key }} \
-          -DWINDOWS_CERTIFICATE_COMMON_NAME="${WINDOWS_CERTIFICATE_COMMON_NAME}" \
           # EOF
         echo "::endgroup::"
 
@@ -139,7 +123,12 @@ jobs:
         cmake --build . --target openttd
         echo "::endgroup::"
       env:
-        WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
+        AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+        AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+        AZURE_CODESIGN_ACCOUNT_NAME: ${{ secrets.AZURE_CODESIGN_ACCOUNT_NAME }}
+        AZURE_CODESIGN_ENDPOINT: ${{ secrets.AZURE_CODESIGN_ENDPOINT }}
+        AZURE_CODESIGN_PROFILE_NAME: ${{ secrets.AZURE_CODESIGN_PROFILE_NAME }}
 
     - name: Build (without installer)
       if: inputs.is_tag != 'true'
@@ -156,7 +145,6 @@ jobs:
           -DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
           -DCMAKE_BUILD_TYPE=RelWithDebInfo \
           -DOPTION_SURVEY_KEY=${{ inputs.survey_key }} \
-          -DWINDOWS_CERTIFICATE_COMMON_NAME="${WINDOWS_CERTIFICATE_COMMON_NAME}" \
           # EOF
         echo "::endgroup::"
 
@@ -164,7 +152,12 @@ jobs:
         cmake --build . --target openttd
         echo "::endgroup::"
       env:
-        WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
+        AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+        AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+        AZURE_CODESIGN_ACCOUNT_NAME: ${{ secrets.AZURE_CODESIGN_ACCOUNT_NAME }}
+        AZURE_CODESIGN_ENDPOINT: ${{ secrets.AZURE_CODESIGN_ENDPOINT }}
+        AZURE_CODESIGN_PROFILE_NAME: ${{ secrets.AZURE_CODESIGN_PROFILE_NAME }}
 
     - name: Create breakpad symbols
       shell: bash
@@ -198,13 +191,15 @@ jobs:
     - name: Sign installer
       if: inputs.is_tag == 'true'
       shell: bash
-      # If this is run on a fork, there may not be a certificate set up - continue in this case
-      continue-on-error: true
       run: |
-        cd ${GITHUB_WORKSPACE}/build/bundles
-        ../../os/windows/sign.bat *.exe "${WINDOWS_CERTIFICATE_COMMON_NAME}"
+        ${GITHUB_WORKSPACE}/os/windows/sign.bat "${GITHUB_WORKSPACE}/build/bundles"
       env:
-        WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
+        AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+        AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+        AZURE_CODESIGN_ACCOUNT_NAME: ${{ secrets.AZURE_CODESIGN_ACCOUNT_NAME }}
+        AZURE_CODESIGN_ENDPOINT: ${{ secrets.AZURE_CODESIGN_ENDPOINT }}
+        AZURE_CODESIGN_PROFILE_NAME: ${{ secrets.AZURE_CODESIGN_PROFILE_NAME }}
 
     - name: Store bundles
       uses: actions/upload-artifact@v4
diff --git a/cmake/InstallAndPackage.cmake b/cmake/InstallAndPackage.cmake
index 9c9071fd00..feb0004d85 100644
--- a/cmake/InstallAndPackage.cmake
+++ b/cmake/InstallAndPackage.cmake
@@ -172,10 +172,10 @@ elseif(WIN32)
 
     set(CPACK_PACKAGE_FILE_NAME "openttd-#CPACK_PACKAGE_VERSION#-windows-${CPACK_SYSTEM_NAME}")
 
-    if(WINDOWS_CERTIFICATE_COMMON_NAME)
+    if(DEFINED ENV{AZURE_CODESIGN_PROFILE_NAME})
       add_custom_command(TARGET openttd
         POST_BUILD
-        COMMAND "${CMAKE_SOURCE_DIR}/os/windows/sign.bat" "$<TARGET_FILE:openttd>" "${WINDOWS_CERTIFICATE_COMMON_NAME}"
+        COMMAND "${CMAKE_SOURCE_DIR}/os/windows/sign.bat" "${BINARY_DESTINATION_DIR}"
       )
     endif()
 elseif(UNIX)
diff --git a/os/windows/sign.bat b/os/windows/sign.bat
index 3954d4618c..b438127ae8 100644
--- a/os/windows/sign.bat
+++ b/os/windows/sign.bat
@@ -1,18 +1,2 @@
 @echo off
-REM Signing script
-REM Arguments: sign.bat exe_to_sign certificate_subject_name
-
-REM This is a loose wrapper around the Microsoft signtool application (included in the Windows SDK).
-REM See https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe for more details.
-
-REM Path to signtool.exe
-IF NOT DEFINED SIGNTOOL_PATH (SET SIGNTOOL_PATH=signtool)
-
-REM URL of the timestamp server
-IF NOT DEFINED SIGNTOOL_TIMESTAMP_URL (SET SIGNTOOL_TIMESTAMP_URL=http://timestamp.digicert.com)
-
-REM Sign with SHA-1 for Windows 7 and below
-"%SIGNTOOL_PATH%" sign -v -n %2 -t %SIGNTOOL_TIMESTAMP_URL% -fd sha1 %1
-
-REM Sign with SHA-256 for Windows 8 and above
-"%SIGNTOOL_PATH%" sign -v -n %2 -tr %SIGNTOOL_TIMESTAMP_URL% -fd sha256 -td sha256 -as %1
+pwsh -File "%~dp0sign_azure.ps1" %1
diff --git a/os/windows/sign_azure.ps1 b/os/windows/sign_azure.ps1
new file mode 100644
index 0000000000..e19476fa6d
--- /dev/null
+++ b/os/windows/sign_azure.ps1
@@ -0,0 +1,40 @@
+# Signing script for Azure Code Signing
+# Arguments: sign_azure.ps1 path_to_sign
+#
+# Environment variables must be set up before use:
+#
+# AZURE_TENANT_ID
+# AZURE_CLIENT_ID
+# AZURE_CLIENT_SECRET
+# AZURE_CODESIGN_ACCOUNT_NAME
+# AZURE_CODESIGN_ENDPOINT
+# AZURE_CODESIGN_PROFILE_NAME
+
+Param
+(
+    # Files folder
+    [Parameter(Mandatory=$true, Position=0)]
+    $FilesFolder
+)
+
+if (!$Env:AZURE_CODESIGN_ENDPOINT -or !$Env:AZURE_CODESIGN_ACCOUNT_NAME -or !$Env:AZURE_CODESIGN_PROFILE_NAME -or
+	!$Env:AZURE_TENANT_ID -or !$Env:AZURE_CLIENT_ID -or !$Env:AZURE_CLIENT_SECRET)
+{
+	"Code signing variables not found; most likely running in a fork. Skipping signing."
+	exit
+}
+
+Install-Module -Name AzureCodeSigning -Scope CurrentUser -RequiredVersion 0.3.0 -Force -Repository PSGallery
+
+$params = @{}
+
+$params["Endpoint"] = $Env:AZURE_CODESIGN_ENDPOINT
+$params["CodeSigningAccountName"] = $Env:AZURE_CODESIGN_ACCOUNT_NAME
+$params["CertificateProfileName"] = $Env:AZURE_CODESIGN_PROFILE_NAME
+$params["FilesFolder"] = $FilesFolder
+$params["FilesFolderFilter"] = "exe"
+$params["FileDigest"] = "SHA256"
+$params["TimestampRfc3161"] = "http://timestamp.acs.microsoft.com"
+$params["TimestampDigest"] = "SHA256"
+
+Invoke-AzureCodeSigning @params