diff --git a/.vsts-ci/windows.yml b/.vsts-ci/windows.yml
index 5d34caa..b5da8f4 100644
--- a/.vsts-ci/windows.yml
+++ b/.vsts-ci/windows.yml
@@ -9,12 +9,14 @@ variables:
 resources:
   - repo: self
     clean: true
-phases:
-- phase: Build
 
-  queue:
-    name: Hosted Windows Container
-    parallel: 4
+jobs:
+- job: Build
+
+  pool:
+    vmImage: vs2017-win2016
+
+  strategy:
     matrix:
       Windows x86:
         buildName: x86
@@ -31,17 +33,9 @@ phases:
     displayName: Install cmake
     condition: succeeded()
   - powershell: |
-      choco install windows-sdk-10.1
-    displayName: Install Windows SDK 10.1
-    condition: succeeded()
-  - powershell: |
-      Invoke-WebRequest "https://aka.ms/vs/15/release/vs_BuildTools.exe" -OutFile vs_BuildTools.exe -UseBasicParsing
-      Start-Process -FilePath 'vs_BuildTools.exe' -ArgumentList '--quiet', '--norestart', '--locale en-US', '--add Microsoft.VisualStudio.Component.VC.Tools.ARM', '--add Microsoft.VisualStudio.Component.VC.Tools.ARM64', '--includeRecommended', '--add Microsoft.VisualStudio.Workload.VCTools', '--add Microsoft.VisualStudio.Component.Windows10SDK.16299.Desktop.arm', '--add Microsoft.VisualStudio.Component.VC.ATL.Spectre', '--add Microsoft.VisualStudio.Component.VC.ATLMFC.Spectre', '--add Microsoft.VisualStudio.Component.VC.ATL.ARM.Spectre', '--add Microsoft.VisualStudio.Component.VC.ATL.ARM64.Spectre', '--add Microsoft.VisualStudio.Component.VC.Runtimes.ARM.Spectre', '--add Microsoft.VisualStudio.Component.VC.Runtimes.ARM64.Spectre', '--add Microsoft.VisualStudio.Component.VC.Runtimes.x86.x64.Spectre' -Wait
-      Remove-Item .\vs_BuildTools.exe
-      Remove-Item -Force -Recurse 'C:\Program Files (x86)\Microsoft Visual Studio\Installer'
       $vsPath = ${Env:ProgramFiles(x86)} + '\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0\Bin'
       Write-Host "##vso[task.prependpath]$vsPath"
-    displayName: Install Visual Studio 2017
+    displayName: Set Visual Studio Path
     condition: succeeded()
   - powershell: |
       $cmakeBinPath = "$env:ProgramFiles\CMake\bin\"
diff --git a/tools/releaseBuild/yaml/releaseBuild.yml b/tools/releaseBuild/yaml/releaseBuild.yml
index 2330cf2..21a389b 100644
--- a/tools/releaseBuild/yaml/releaseBuild.yml
+++ b/tools/releaseBuild/yaml/releaseBuild.yml
@@ -1,3 +1,5 @@
+trigger: none
+
 variables:
   AuthenticodeSignType: '400'
   BuildConfiguration: 'Release'
@@ -10,12 +12,30 @@ stages:
   dependsOn: []
   jobs:
   - job: BuildWin
+    pool:
+      vmImage: vs2017-win2016
+    displayName: Windows
+    strategy:
+      matrix:
+        x64:
+          ARCHITECTURE: x64
+        x86:
+          ARCHITECTURE: x86
+        x64ARM:
+          ARCHITECTURE: x64_arm
+        x64ARM64:
+          ARCHITECTURE: x64_arm64
+    steps:
+    - template: windows-build.yml
+
+  - job: SignWin
     pool:
       name: PowerShell
       demands:
       - DotNetFramework
       - Agent.Image
-    displayName: Windows
+    displayName: Sign Windows
+    dependsOn: BuildWin
     strategy:
       matrix:
         x64:
@@ -27,7 +47,7 @@ stages:
         x64ARM64:
           ARCHITECTURE: x64_arm64
     steps:
-    - template: windows.yml
+    - template: windows-sign.yml
 
   - job: BuildLinux
     displayName: Linux
@@ -55,7 +75,7 @@ stages:
   - job: BuildNuGetPkg
     displayName: Build NuGet Package
     dependsOn:
-    - BuildWin
+    - SignWin
     - BuildLinux
     - BuildMac
     pool:
diff --git a/tools/releaseBuild/yaml/windows-build.yml b/tools/releaseBuild/yaml/windows-build.yml
new file mode 100644
index 0000000..a5c9cd2
--- /dev/null
+++ b/tools/releaseBuild/yaml/windows-build.yml
@@ -0,0 +1,20 @@
+steps:
+  - powershell: |
+      choco install cmake.install --installargs 'ADD_CMAKE_TO_PATH=System'
+    displayName: Install cmake
+    condition: succeeded()
+  - powershell: |
+      $vsPath = ${Env:ProgramFiles(x86)} + '\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0\Bin'
+      Write-Host "##vso[task.prependpath]$vsPath"
+    displayName: Set Visual Studio Path
+    condition: succeeded()
+  - powershell: |
+      $cmakeBinPath = "$env:ProgramFiles\CMake\bin\"
+      if(Test-Path $cmakeBinPath) { $env:Path = "$cmakeBinPath;$env:PATH" } else { throw "CMake not installed under $cmakeBinPath" }
+      $(Build.SourcesDirectory)\tools\releaseBuild\PowerShellNative.ps1 -RepoRoot $(Build.SourcesDirectory) -TargetLocation "$(System.ArtifactsDirectory)\Packages" -Arch $(ARCHITECTURE) -Configuration Release -Symbols
+    displayName: Start build - $(ARCHITECTURE)
+    condition: succeeded()
+  - powershell: |
+      Write-Host "##vso[artifact.upload containerfolder=release;artifactname=release]$(System.ArtifactsDirectory)\Packages\$(ARCHITECTURE)-symbols.zip"
+    displayName: Upload artifacts
+    condition: succeeded()
diff --git a/tools/releaseBuild/yaml/windows-sign.yml b/tools/releaseBuild/yaml/windows-sign.yml
new file mode 100644
index 0000000..bf227b9
--- /dev/null
+++ b/tools/releaseBuild/yaml/windows-sign.yml
@@ -0,0 +1,69 @@
+steps:
+- task: PkgESSetupBuild@10
+  displayName: 'Initialize build'
+  env:
+    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+  inputs:
+    useDfs: false
+    productName: PowerShellCore
+    branchVersion: true
+    disableWorkspace: true
+    disableBuildTools: true
+    disableNugetPack: true
+  condition: and(succeeded(), eq(variables['Build.Reason'], 'Manual'))
+
+- task: DownloadBuildArtifacts@0
+  inputs:
+    buildType: current
+    artifactName: release
+
+- powershell: |
+    $zipFilePath = '$(System.ArtifactsDirectory)\release\$(ARCHITECTURE)-symbols.zip'
+    Get-ChildItem $zipFilePath -Verbose
+
+    Expand-Archive $zipFilePath -Destination '$(System.ArtifactsDirectory)\Expanded' -Force
+
+    $vstsCommandString = "vso[task.setvariable variable=Symbols]$(System.ArtifactsDirectory)\Expanded"
+    Write-Host "sending " + $vstsCommandString
+    Write-Host "##$vstsCommandString"
+  displayName: Expand artifact $(ARCHITECTURE)-symbols.zip
+
+- task: PowerShell@2
+  displayName: 'Update Signing Xml'
+  inputs:
+    targetType: filePath
+    filePath: $(Build.SourcesDirectory)/tools/releaseBuild/updateSigning.ps1
+
+- task: PkgESCodeSign@10
+  displayName: 'CodeSign $(ARCHITECTURE)'
+  env:
+      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+  inputs:
+    signConfigXml: '$(Build.SourcesDirectory)\tools\releaseBuild\signing.xml'
+    inPathRoot: '$(Symbols)'
+    outPathRoot: '$(Symbols)\Signed'
+  condition: ne(variables['SKIP_SIGNING'], 'True')
+
+- powershell: |
+    Compress-Archive -Path '$(Symbols)\Signed\*' -DestinationPath '$(Symbols)\Signed\win-$(ARCHITECTURE).zip'
+  displayName: Compress signed binaries
+  condition: ne(variables['SKIP_SIGNING'], 'True')
+
+- powershell: |
+    Get-ChildItem -Path '$(Symbols)\*' -Recurse | Copy-Item -Destination '$(Symbols)\Signed' -Force -Verbose
+  displayName: Copy unsigned binaries as signing is skipped
+  condition: eq(variables['SKIP_SIGNING'], 'True')
+
+- template: uploadArtifact.yml
+  parameters:
+    artifactPath: '$(Symbols)\Signed'
+    artifactFilter: 'win-*.zip'
+    artifactName: 'signed'
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
+  displayName: 'Run MpCmdRun.exe'
+
+- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
+  displayName: 'Component Detection'
+  inputs:
+    sourceScanPath: '$(Build.SourcesDirectory)'