diff --git a/windows-release/merge-and-upload.py b/windows-release/merge-and-upload.py
index 0565748f..e58306dc 100644
--- a/windows-release/merge-and-upload.py
+++ b/windows-release/merge-and-upload.py
@@ -278,6 +278,12 @@ def install_sortkey(install):
 
 
 def find_missing_from_index(url, installs):
+    if not UPLOAD_HOST:
+        print("Skipping check for upload race because UPLOAD_HOST is missing")
+        return []
+    if NO_UPLOAD:
+        print("Skipping check for upload race because NO_UPLOAD is set")
+        return []
     with urlopen(url) as r:
         x = {install_sortkey(i) for i in json.load(r)["versions"]}
     y = {install_sortkey(i) for i in installs} - x
diff --git a/windows-release/msi-steps.yml b/windows-release/msi-steps.yml
index 41f42961..12adc977 100644
--- a/windows-release/msi-steps.yml
+++ b/windows-release/msi-steps.yml
@@ -77,10 +77,8 @@ steps:
         Include: ''
         ExportCommand: SignCommand
         SigningCertificate: ${{ parameters.SigningCertificate }}
-        # WiX is struggling with WIF authentication and sign.exe right now,
-        # so we still rely on the client secret for legacy builds.
-        # We disable the service connection here to skip the login steps.
-        AzureServiceConnectionName: ''
+        # WiX never moved on from signtool.exe, so we'll use that here
+        InstallLegacyTool: true
 
     - powershell: |
         $cmd = $env:SignCommand -replace '"', '\"'