diff --git a/changelog/bugfixes/2025-02-28-walinuxagent-ignition.md b/changelog/bugfixes/2025-02-28-walinuxagent-ignition.md
new file mode 100644
index 0000000000..0a34f81620
--- /dev/null
+++ b/changelog/bugfixes/2025-02-28-walinuxagent-ignition.md
@@ -0,0 +1 @@
+- azure: Fixed issue of wa-linux-agent overriding ssh public key from ignition configuration during provisioning ([flatcar/Flatcar#1661](https://github.com/flatcar/Flatcar/issues/1661))
diff --git a/changelog/updates/2025-02-28-walinuxagent-2.12.0.4.md b/changelog/updates/2025-02-28-walinuxagent-2.12.0.4.md
new file mode 100644
index 0000000000..eae390f130
--- /dev/null
+++ b/changelog/updates/2025-02-28-walinuxagent-2.12.0.4.md
@@ -0,0 +1 @@
+- azure: wa-linux-agent ([2.12.0.4](https://github.com/Azure/WALinuxAgent/releases/tag/v2.12.0.4))
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/Manifest
index 278c8b97ac..909ecd6f9f 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/Manifest
@@ -1 +1 @@
-DIST wa-linux-agent-2.9.1.1.tar.gz 1986486 BLAKE2B ce630830886fe9bb729cfa7d92ac40bf158d26272b83e099fa2957928761642f84af2eef28ad691a076a89af6304f6ae67d7aa37ecf8629b3b973d083e619ae7 SHA512 3f44aecc16ac545db4b550586f168dbbdef34289aad6775973517bf645e5a1d486864c01e974f03a71b3e946c14e1ca140673a75c1cd602aac28725eaa68e83d
+DIST wa-linux-agent-2.12.0.4.tar.gz 2143917 BLAKE2B 4c4091569c3fc302de81c1d8467f33f8e3e817387697c339e98eb8def3100939a9cd99044fb934f7b4ce0830ae626bb5501c60f76931a614fa1392fdcd179e20 SHA512 09cfa8072f705dd4c96dda9c6a0b24b6050fcb57a0ad9bd5307ec07c7bb8270e48c17fd0fcb13cc2c8ca59472ec60af1657b536089eb9f116ca77658f6112595
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch
index f72529dc28..c47371ef4d 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0001-flatcar-changes.patch
@@ -162,7 +162,7 @@ index 83123e3f..b9257a9b 100644
          return DebianOSBaseUtil()
  
      if distro_name in ("flatcar", "coreos") or distro_code_name in ("flatcar", "coreos"):
-+        if Version(distro_version) >= Version("3550"):
++        if DistroVersion(distro_version) >= DistroVersion("3550"):
 +            return FlatcarUtil()
          return CoreOSUtil()
  
@@ -251,15 +251,16 @@ index 00000000..eeaf25ce
 +                time.sleep(wait)
 +            else:
 +                logger.warn("exceeded restart retries")
-diff --git a/azurelinuxagent/common/persist_firewall_rules.py b/azurelinuxagent/common/persist_firewall_rules.py
+diff --git a/azurelinuxagent/ga/persist_firewall_rules.py b/azurelinuxagent/ga/persist_firewall_rules.py
 index 74b878ce..22562c96 100644
---- a/azurelinuxagent/common/persist_firewall_rules.py
-+++ b/azurelinuxagent/common/persist_firewall_rules.py
-@@ -35,6 +35,7 @@ class PersistFirewallRulesHandler(object):
+--- a/azurelinuxagent/ga/persist_firewall_rules.py
++++ b/azurelinuxagent/ga/persist_firewall_rules.py
+@@ -35,7 +35,7 @@ class PersistFirewallRulesHandler(object):
  # Do not edit.
  [Unit]
- Description=Setup network rules for WALinuxAgent 
-+After=systemd-sysext.service
+ Description=Setup network rules for WALinuxAgent
+-After=local-fs.target 
++After=local-fs.target systemd-sysext.service
  Before=network-pre.target
  Wants=network-pre.target
  DefaultDependencies=no
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0002-prevent-ssh-public-key-override.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0002-prevent-ssh-public-key-override.patch
new file mode 100644
index 0000000000..d53936e351
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/files/0002-prevent-ssh-public-key-override.patch
@@ -0,0 +1,26 @@
+From 0c8db73c3567039e50ffa7447bb093ca812dedf6 Mon Sep 17 00:00:00 2001
+Message-Id: <0c8db73c3567039e50ffa7447bb093ca812dedf6.1740577844.git.dpark@linux.microsoft.com>
+From: Peyton Robertson <93797227+peytonr18@users.noreply.github.com>
+Date: Tue, 28 Jan 2025 14:17:43 -0800
+Subject: [PATCH] Applying patch to prevent ssh public key override (#3309)
+
+---
+ azurelinuxagent/common/osutil/default.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/azurelinuxagent/common/osutil/default.py b/azurelinuxagent/common/osutil/default.py
+index 584515dc..746c4363 100644
+--- a/azurelinuxagent/common/osutil/default.py
++++ b/azurelinuxagent/common/osutil/default.py
+@@ -346,7 +346,7 @@ GEN2_DEVICE_ID = 'f8b3781a-1e82-4818-a1c3-63d806ec15bb'
+                 raise OSUtilError("Bad public key: {0}".format(value))
+             if not value.endswith("\n"):
+                 value += "\n"
+-            fileutil.write_file(path, value)
++            fileutil.write_file(path, value, append=True)
+         elif thumbprint is not None:
+             lib_dir = conf.get_lib_dir()
+             crt_path = os.path.join(lib_dir, thumbprint + '.crt')
+-- 
+2.39.5
+
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.9.1.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.12.0.4-r1.ebuild
similarity index 92%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.9.1.1-r2.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.12.0.4-r1.ebuild
index ee70a04763..6e932e1563 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.9.1.1-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/wa-linux-agent/wa-linux-agent-2.12.0.4-r1.ebuild
@@ -30,4 +30,5 @@ S="${WORKDIR}/WALinuxAgent-${PV}"
 
 PATCHES=(
     "${FILESDIR}/0001-flatcar-changes.patch"
+    "${FILESDIR}/0002-prevent-ssh-public-key-override.patch"
 )
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.12.0.4-r1.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.9.1.1-r3.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/oem-azure/oem-azure-2.12.0.4-r1.ebuild