diff --git a/pipelines/main/launch_signed_jobs.yml.signature b/pipelines/main/launch_signed_jobs.yml.signature
index 3a2f3ee7..7e86a8ed 100644
--- a/pipelines/main/launch_signed_jobs.yml.signature
+++ b/pipelines/main/launch_signed_jobs.yml.signature
@@ -1,3 +1 @@
-Salted__¦Ü,ž`jsl@³dÚ‡èß^š‡A{¡˜þ8%Ä) óY
-t–2­­tƒ`œ}B•È®riDÁÄ…™* U“ù˜±¨2Sùö\ê
-µaBSe¸…H²ss!
+Salted__<YG7l÷ð"y0?4”€=×½á‰•¥üˆ¸ìÝ“ˆ.Ëãô\ƒí*.À &‡tÃœë2=ÂÕ7þT‡\00éÖe•ü–á›ÁånMQ2ŒúÑÚèƒÌhÆ
\ No newline at end of file
diff --git a/pipelines/main/launch_upload_jobs.yml.signature b/pipelines/main/launch_upload_jobs.yml.signature
index e61d845c..fa3c73ab 100644
--- a/pipelines/main/launch_upload_jobs.yml.signature
+++ b/pipelines/main/launch_upload_jobs.yml.signature
@@ -1 +1 @@
-Salted__®xR¦©êRß7é¤–ƒ=´¯ç>S¯î·•Y`…jãWr'ò&À*VMëD‚ý˜àu-bÖºÉ–?+yÏ­—#æòÉ‘cZP ¹pý[4vE÷u®ä
\ No newline at end of file
+Salted__Èæ‘ÑáÄÊP•€	œ¸#½ëªÂ~t‹™,oá«›Ã•Ù?`r‹VxZAï¢£*ùƒBd;³=/!ñ‘%?bFªò-+Ó÷ñÙc˜RŸÏ$Á»„
\ No newline at end of file
diff --git a/pipelines/main/platforms/build_windows.arches b/pipelines/main/platforms/build_windows.arches
index 9d29e638..254bd425 100644
--- a/pipelines/main/platforms/build_windows.arches
+++ b/pipelines/main/platforms/build_windows.arches
@@ -1,6 +1,6 @@
 # OS     TRIPLET              ARCH       DOCKER_ARCH   MAKE_FLAGS                                TIMEOUT     DOCKER_TAG
-windows  x86_64-w64-mingw32   x86_64     x86_64        VERBOSE=1                                 .           v7.2
-windows  i686-w64-mingw32     x86_64     i686          VERBOSE=1                                 .           v7.2
+windows  x86_64-w64-mingw32   x86_64     x86_64        VERBOSE=1                                 .           v7.10
+windows  i686-w64-mingw32     x86_64     i686          VERBOSE=1                                 .           v7.10
 
 # These special lines allow us to embed default values for the columns above.
 # Any column without a default mapping here will simply substitute a `.` to the empty string
diff --git a/pipelines/main/platforms/upload_windows.arches b/pipelines/main/platforms/upload_windows.arches
index dcec3b94..8d6ba613 100644
--- a/pipelines/main/platforms/upload_windows.arches
+++ b/pipelines/main/platforms/upload_windows.arches
@@ -1,6 +1,6 @@
 # OS     TRIPLET                DOCKER_TAG   TIMEOUT
-windows  x86_64-w64-mingw32     v5.44        .
-windows  i686-w64-mingw32       v5.44        .
+windows  x86_64-w64-mingw32     v7.10        .
+windows  i686-w64-mingw32       v7.10        .
 
 # These special lines allow us to embed default values for the columns above.
 # Any column without a default mapping here will simply substitute a `.` to the empty string
diff --git a/pipelines/main/platforms/upload_windows.yml b/pipelines/main/platforms/upload_windows.yml
index e85815b7..b83d12a9 100644
--- a/pipelines/main/platforms/upload_windows.yml
+++ b/pipelines/main/platforms/upload_windows.yml
@@ -21,7 +21,9 @@ steps:
               variables:
                 - AWS_ACCESS_KEY_ID="U2FsdGVkX184v87+NPs3j9r/JoIuOrYt4/Z4wnRdklnY17NP8C8AMZvWYLJfT9t1"
                 - AWS_SECRET_ACCESS_KEY="U2FsdGVkX1+qptnxR/Mo5jZdH8OQfflRPiQBEhjgZIiTpn8KNCJYh/Cb8xxaUWazlcM9ceOlo0InDubL+J8zdg=="
-                - WINDOWS_CODESIGN_PASSWORD="U2FsdGVkX1+wiqniliFf7YWn1f/Y2rppITsOMvLGgK8n+GYWXWJH+POojLhEwU75"
+                - AZURE_TENANT_ID="U2FsdGVkX1+c2HbeSTq1c0fEep5riO3+PSQCiovdRT5akVpyy5hC311cXUCUB+A7ivIezAdJ7oz3dt19t60iuw=="
+                - AZURE_CLIENT_ID="U2FsdGVkX195QeT0ywNdXSa2ctMb9DFXyFVo0zG0/GtZUw95PTycqSZ+qEwXZbRZhGxXjGMVzcP2XZ0f/OuNnQ=="
+                - AZURE_CLIENT_SECRET="U2FsdGVkX1/905nz82Iy5toukRXEO8QS2etwfFCocofgnpBB62wJRDrWClPCNEX6ICo0jQzgoSbwDr2+C1ETSA=="
               files:
                 - .buildkite/secrets/tarball_signing.gpg
                 - .buildkite/secrets/windows_codesigning.pfx
@@ -42,9 +44,11 @@ steps:
                 # Have to include this for `buildkite-agent` to work:
                 - "BUILDKITE_AGENT_ACCESS_TOKEN"
                 # Have to include these for codesigning and uploading
-                - "WINDOWS_CODESIGN_PASSWORD"
                 - "AWS_ACCESS_KEY_ID"
                 - "AWS_SECRET_ACCESS_KEY"
+                - "AZURE_TENANT_ID"
+                - "AZURE_CLIENT_ID"
+                - "AZURE_CLIENT_SECRET"
                 # These control where we upload, important when running on julia-buildkite
                 - "S3_BUCKET"
                 - "S3_BUCKET_PREFIX"
diff --git a/pipelines/scheduled/coverage/coverage.yml.signature b/pipelines/scheduled/coverage/coverage.yml.signature
index f3cd032d..01b4fe27 100644
Binary files a/pipelines/scheduled/coverage/coverage.yml.signature and b/pipelines/scheduled/coverage/coverage.yml.signature differ
diff --git a/pipelines/scheduled/launch_signed_jobs.yml.signature b/pipelines/scheduled/launch_signed_jobs.yml.signature
index 88250659..cc4a54ec 100644
--- a/pipelines/scheduled/launch_signed_jobs.yml.signature
+++ b/pipelines/scheduled/launch_signed_jobs.yml.signature
@@ -1 +1 @@
-Salted__²Äå9–ÚƒÆÆÊX]§ˆ8êi(ë$‹ttˆ@t!ëÌ^Îö³BÈÆ.$û(æ“.iÖÄY¼Y0"4×'(—?’ký]:6ú Û‰S"IÅ=½¹Ú
\ No newline at end of file
+Salted__=oTÚî#ÉSfˆúBšžñ¤—Véx „ìU‡VR„ŸÐðûu»‘ÆµiCö[Ð¬èíœ»ô3‘Þ§†ö¼+‹ò*ÌJ±×ÑŠFê#
\ No newline at end of file
diff --git a/pipelines/scheduled/launch_upload_jobs.yml.signature b/pipelines/scheduled/launch_upload_jobs.yml.signature
index 09af1091..5bb6400f 100644
--- a/pipelines/scheduled/launch_upload_jobs.yml.signature
+++ b/pipelines/scheduled/launch_upload_jobs.yml.signature
@@ -1 +1 @@
-Salted__*bÁª]æµ#•At¡÷¯útkžÄƒ·ÃÚŸÍåWä´EEÚj’EÀ/YV‚Yl"˜T`¯®ù‹˜&8ü]ísî°YGÔI@	^]ý0º×ôE†ys
\ No newline at end of file
+Salted__Z=.ñ¸êêÜƒn-‘ÜY‰š¶p Ú:‘™¨î¨4™·ì•^W€e»Éñæ};À~ˆ›®Ê2úû2Í¬F7bNN‘J]þRÕåÑ2íÉ^P£G{Ùm¢
\ No newline at end of file
diff --git a/utilities/upload_julia.sh b/utilities/upload_julia.sh
index 0e7343a2..6d5d3bb4 100644
--- a/utilities/upload_julia.sh
+++ b/utilities/upload_julia.sh
@@ -81,7 +81,7 @@ if [[ "${BUILDKITE_PULL_REQUEST}" == "false" ]]; then
             /F"${UPLOAD_FILENAME}" \
             /O"$(cygpath -w "$(pwd)")" \
             /Dsign=true \
-            /Smysigntool="bash.exe '${codesign_script}' --certificate='${certificate}' \$f" \
+            /Smysigntool="bash.exe '${codesign_script}' \$f" \
             "$(cygpath -w "${iss_file}")"
 
         # Add the `.exe` to our upload targets
@@ -89,7 +89,7 @@ if [[ "${BUILDKITE_PULL_REQUEST}" == "false" ]]; then
 
         # Next, directly codesign every executable file in the install dir
         echo "--- [windows] Codesign everything in the install directory"
-        "${codesign_script}" --certificate="${certificate}" "${JULIA_INSTALL_DIR}"
+        "${codesign_script}" "${JULIA_INSTALL_DIR}"
 
         echo "--- [windows] Update checksums for stdlib cachefiles"
         ${JULIA_INSTALL_DIR}/bin/julia .buildkite/utilities/update_stdlib_pkgimage_checksums.jl
diff --git a/utilities/windows/codesign.sh b/utilities/windows/codesign.sh
index ba703f8e..492b4c85 100644
--- a/utilities/windows/codesign.sh
+++ b/utilities/windows/codesign.sh
@@ -3,14 +3,18 @@
 
 set -euo pipefail
 
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+DLIB_DEFAULT_PATH='C:\Program Files\TrustedSigning\bin\x64\Azure.CodeSigning.Dlib.dll'
+DLIB_PATH="${DLIB_DEFAULT_PATH}"
+METADATA_JSON_PATH="$(cygpath -w ${SCRIPT_DIR}/codesign_metadata.json)"
+
 usage() {
-    echo "Usage: $0 --certificate=<path> --password=<password> <target>"
+    echo "Usage: $0 [--dlib-path=<path>] <target>"
     echo
     echo "Parameter descriptions:"
     echo
-    echo "       key: A '.pfx' file that contains the codesigning certificate"
-    echo
-    echo "  password: The password to unlock the given '.pfx' file."
+    echo "  dlib-path: The path to the Trusted Signing .dlib file (defaults to ${DLIB_DEFAULT_PATH})."
     echo
     echo "    target: A file or directory to codesign (must come last!)"
 }
@@ -26,22 +30,13 @@ fi
 
 while [ "$#" -gt 1 ]; do
     case "${1}" in
-        --certificate)
-            CERT_PATH="$2"
+        --dlib-path)
+            DLIB_PATH="$2"
             shift
             shift
             ;;
-        --certificate=*)
-            CERT_PATH="${1#*=}"
-            shift
-            ;;
-        --password)
-            CERT_PASSWORD="$2"
-            shift
-            shift
-            ;;
-        --password=*)
-            CERT_PASSWORD="${1#*=}"
+        --dlib-path=*)
+            DLIB_PATH="${1#*=}"
             shift
             ;;
         *)
@@ -51,22 +46,25 @@ while [ "$#" -gt 1 ]; do
             ;;
     esac
 done
+DLIB_PATH="$(cygpath -w "${DLIB_PATH}")"
 
-# We tend to receive this via an environment variable on CI, so as to
-# not print it out when `make` is run in verbose mode
-CERT_PASSWORD="${CERT_PASSWORD:-${WINDOWS_CODESIGN_PASSWORD}}"
+if [[ -z "${AZURE_TENANT_ID:-}" ]] ||
+   [[ -z "${AZURE_CLIENT_ID:-}" ]] ||
+   [[ -z "${AZURE_CLIENT_SECRET:-}" ]]; then
+    echo "ERROR: Missing AZURE_* secret variables!" >&2
+    exit 1
+fi
 
-if [[ ! -f "${CERT_PATH}" ]]; then
-    echo "ERROR: Certificate path '${CERT_PATH}' does not exist!" >&2
+if [[ ! -f "${DLIB_PATH}" ]]; then
+    echo "ERROR: No Trusted Signing dlib found at '${DLIB_PATH}'" >&2
     exit 1
 fi
-CERT_PATH="$(cygpath -w "$(abspath "${CERT_PATH}")")"
+
 
 # We will try to codesign, using multiple timestamping servers in case one is down
 SERVERS=(
-    "http://timestamp.digicert.com/?alg=sha1"
-    "http://timestamp.globalsign.com/scripts/timstamp.dll"
-    "http://timestamp.comodoca.com/authenticode"
+    "http://timestamp.acs.microsoft.com"
+    "http://timestamp.digicert.com"
     "http://tsa.starfieldtech.com"
 )
 NUM_RETRIES=3
@@ -74,9 +72,7 @@ NUM_RETRIES=3
 function do_codesign() {
     for retry in $(seq 1 ${NUM_RETRIES}); do
         for SERVER in ${SERVERS[@]}; do
-            # Note that we're using SHA1 signing here, because that's what our certificate supports.
-            # In the future, we may be able to upgrade to SHA256.
-            if MSYS2_ARG_CONV_EXCL='*' signtool sign /debug /fd certHash /f "${CERT_PATH}" /p "${CERT_PASSWORD}" /t "${SERVER}" "$1"; then
+            if MSYS2_ARG_CONV_EXCL='*' signtool sign /q /fd SHA256 /tr "${SERVER}" /td SHA256 /dlib "${DLIB_PATH}" /dmdf "${METADATA_JSON_PATH}" "$1"; then
                 return 0
             fi
         done
@@ -89,7 +85,7 @@ function do_codesign() {
 # This codesign script only works on files
 if [ -f "${1}" ]; then
     # If we're codesigning a single file, directly invoke codesign on that file
-    echo "Codesigning file ${1} with certificate ${CERT_PATH}"
+    echo "Codesigning file ${1}"
     do_codesign "${1}"
 elif [ -d "${1}" ]; then
     # Create a fifo to communicate from `find` to `while`
@@ -105,7 +101,7 @@ elif [ -d "${1}" ]; then
     # This while loop reads in from the fifo, and invokes `do_codesign`,
     # but it does so in a background task, so that the codesigning can
     # happen in parallel.  This speeds things up by a few seconds.
-    echo "Codesigning dir ${1} with certificate ${CERT_PATH}"
+    echo "Codesigning dir ${1}"
     NUM_CODESIGNS=0
     while IFS= read -r -d '' exe_file; do
         do_codesign "${exe_file}" &
diff --git a/utilities/windows/codesign_metadata.json b/utilities/windows/codesign_metadata.json
new file mode 100644
index 00000000..af0ba3fc
--- /dev/null
+++ b/utilities/windows/codesign_metadata.json
@@ -0,0 +1,16 @@
+{
+    "Endpoint": "https://eus.codesigning.azure.net/",
+    "CodeSigningAccountName": "juliahubwincertsaccount",
+    "CertificateProfileName": "JuliaHubWinCert",
+    "ExcludeCredentials": [
+        "WorkloadIdentityCredential",
+        "ManagedIdentityCredential",
+        "SharedTokenCacheCredential",
+        "VisualStudioCredential",
+        "VisualStudioCodeCredential",
+        "AzureCliCredential",
+        "AzurePowerShellCredential",
+        "AzureDeveloperCliCredential",
+        "InteractiveBrowserCredential"
+    ]
+}