diff --git a/Dockerfile.windows b/Dockerfile.windows
index b322fa3ea5..5b119a4900 100644
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -197,7 +197,9 @@ RUN cmd.exe /c 'gcloud --version'
 
 COPY kokoro\scripts\build\signing\sign.ps1 /work/sign.ps1
 
-ARG GCS_BUCKET_URL
-RUN & \work\sign.ps1 -GcsBucketUrl $env:GCS_BUCKET_URL;
+ENTRYPOINT ["powershell.exe"]
+CMD ["./sign.ps1"]
 
-RUN & .\pkg\goo\build.ps1 -DestDir /work/out;
+# RUN & \work\sign.ps1 -GcsBucketUrl $env:GCS_BUCKET_URL;
+
+# RUN & .\pkg\goo\build.ps1 -DestDir /work/out;
diff --git a/kokoro/scripts/build/build_package.ps1 b/kokoro/scripts/build/build_package.ps1
index ff2307efdd..e2c8ac0dab 100755
--- a/kokoro/scripts/build/build_package.ps1
+++ b/kokoro/scripts/build/build_package.ps1
@@ -76,9 +76,10 @@ Write-Host "gcs_bucket: ${gcs_bucket}"
 
 $cache_location="${artifact_registry}/stackdriver-test-143416/google-cloud-ops-agent-build-cache/ops-agent-cache:windows-${arch}${suffix}"
 Invoke-Program docker pull $cache_location
-Invoke-Program docker build --cache-from="${cache_location}" --build-arg GCS_BUCKET_URL="${gcs_bucket}" -t $tag -f './Dockerfile.windows' .
-Invoke-Program docker create --name $name $tag
-Invoke-Program docker cp "${name}:/work/out" $env:KOKORO_ARTIFACTS_DIR
+Invoke-Program docker build --cache-from="${cache_location}" -t $tag -f './Dockerfile.windows' .
+Invoke-Program docker run -v "${env:APPDATA}/gcloud:C:/Users/ContainerAdministrator/AppData/Roaming/gcloud" -e GCS_BUCKET_URL="${gcs_bucket}" $tag
+# Invoke-Program docker create --name $name $tag
+# Invoke-Program docker cp "${name}:/work/out" $env:KOKORO_ARTIFACTS_DIR
 
 
 # Tell our continuous build to update the cache. Our other builds do not
diff --git a/kokoro/scripts/build/signing/sign_windows.sh b/kokoro/scripts/build/signing/sign_windows.sh
new file mode 100644
index 0000000000..c0564ca942
--- /dev/null
+++ b/kokoro/scripts/build/signing/sign_windows.sh
@@ -0,0 +1,50 @@
+if [[ -z "${env:$GSU_BUCKET_URL}" ]]; then
+  echo 'No Signing Bucket URL, skipping signing'
+  exit 0
+fi
+
+file_filter=(
+"out/bin/fluent-bit.exe"
+"out/bin/fluent-bit.dll"
+"out/bin/google-cloud-metrics-agent.exe"
+"out/bin/google-cloud-ops-agent.exe"
+"out/bin/google-cloud-ops-agent-diagnostics.exe"
+"out/bin/google-cloud-ops-agent-wrapper.exe"
+"pkg/goo/maint.ps1"
+)
+
+for file in "${file_filter[@]}"
+do
+  echo "Sending: $file to be signed"
+  gsutil cp "./$file" "${env:GSU_BUCKET_URL}$file"
+done
+
+# Sent to indicate all binaries have been sent to be signed
+touch ./UNSIGNED_READY.txt
+
+gsutil cp ./UNSIGNED_READY.txt "${env:GSU_BUCKET_URL}UNSIGNED_READY.txt"
+
+echo "Sent all unsigned binaries"
+
+# Wait for binaries to be signed.
+i=0
+until gsutil -q stat "${env:GSU_BUCKET_URL}SIGNED_READY.txt"; do
+  if [[ $i -ge 300 ]]; then
+    echo "Could not get signed binaries"
+    exit 1
+  elif [[ $i -gt 0 ]]; then
+    # Sleep for 15 seconds before the next attempt to avoid hammering the timestamp server.
+    sleep 15
+  fi
+  i=$((i+1))
+done
+
+for file in "${file_filter[@]}"
+do
+  echo "Receiving: signed $file"
+  gsutil cp "${env:GSU_BUCKET_URL}$file" "./$file"
+done
+
+gsutil rm "${env:GSU_BUCKET_URL}*.goo"
+
+powershell -c & .\\pkg\\goo\\build.ps1 -DestDir /work/out;