Active Directory Certificate Services (ADCS) has taken a significant leap forward by introducing the capability to generate post-quantum certificates. This development marks a pivotal moment in extending quantum-safe support beyond mere algorithms and APIs, embedding it into a core platform component that organizations around the globe rely on. Microsoft is seamlessly integrating quantum-safe cryptography into Windows’ secure connection protocols by incorporating PQ TLS hybrid key exchange into the Windows Transport Layer Security (TLS) stack. This enhancement provides quantum-safe protection for data in transit, effectively countering the looming threat of “Harvest Now, Decrypt Later” attacks, where encrypted data is captured for future decryption using quantum computing technology.
PQ TLS Hybrid Key Exchange Secures Data-in-Transit
This strategic move not only enhances quantum-safe support but also embeds it within a critical platform component that secures billions of connections daily. By addressing the pressing “Harvest Now, Decrypt Later” risk, Microsoft is taking proactive measures against potential threats where malicious entities might intercept encrypted data, intending to decrypt it once quantum computers capable of breaching current encryption standards become operational. The newly introduced PQ TLS hybrid key exchange merges traditional cryptographic methods with the NIST ML-KEM algorithm, creating a robust defense mechanism. This layered approach empowers organizations to mitigate long-term data risks, particularly for sensitive information that requires decades of confidentiality.
Microsoft’s implementation prioritizes seamless integration with existing Windows management tools, allowing IT administrators to configure these quantum-safe options through familiar channels such as Group Policy, Mobile Device Management (MDM) with Intune, or TLS PowerShell cmdlets. This focus on minimizing disruption to existing workflows enhances operational efficiency.
Currently available in preview via the Windows Insider Program, this feature is set to roll out to Windows 11 and Windows Server in the coming months. It will offer three hybrid combinations: X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1_MLKEM1024. Microsoft emphasizes that this capability enables security teams and application owners to evaluate real, Windows-native deployments and prepare for the necessary policy and configuration updates required for quantum-safe readiness.
Composite ML-KEM and ML-DSA Algorithms Enhance Windows APIs
The integration of post-quantum cryptography (PQC) is evolving from theoretical discussions to practical applications, as Microsoft actively embeds quantum-resistant solutions within core Windows functionalities. This proactive approach signifies a commitment to mitigating “Harvest Now, Decrypt Later” risks, particularly for data that demands long-term confidentiality. By combining conventional cryptographic methods with post-quantum algorithms, organizations can begin addressing the risks associated with long-lived data.
The introduction of several hybrid combinations—X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1_MLKEM1024—offers flexibility in balancing security levels and performance characteristics. These new options are easily configurable through established Windows management tools, including Group Policy, Mobile Device Management, and PowerShell cmdlets, facilitating smooth integration for IT administrators.
In addition to TLS, Windows cryptography APIs now support composite ML-KEM and ML-DSA algorithms. These algorithms represent NIST-approved PQC standards for key exchange and digital signatures. Microsoft asserts that composite algorithms enhance security by requiring an adversary to breach all components to compromise protected data. This advancement allows developers and security architects to transition from foundational cryptographic primitives to real-world certificate and signing patterns necessary in production environments, enabling the prototyping of new certificate profiles and the evaluation of trust chain impacts.
Hybrid key exchange combines classical and post-quantum algorithms, allowing organizations to begin mitigating HNDL risks.
ADCS Enables Issuance of ML-DSA Certificates
Microsoft has broadened its quantum-safe cryptography initiatives to encompass a crucial yet often overlooked aspect of IT infrastructure: certificate generation. This capability empowers enterprises to proactively assess post-quantum certificate issuance and trust validation workflows, addressing a foundational element of security that is frequently taken for granted. The introduction of ML-DSA support within ADCS is particularly noteworthy, as it enables organizations to begin countering the “Harvest Now, Decrypt Later” risk associated with long-lived data—a threat that becomes increasingly pressing as quantum computing capabilities advance.
This granular control is essential for tailoring certificate profiles to specific use cases, such as code signing and TLS certificates, where varying levels of protection and performance are necessary. Microsoft acknowledges that adopting PQC support within ADCS requires the establishment of new Certification Authorities (CAs), as existing CAs cannot be upgraded in place. This design choice facilitates the introduction of a parallel CA hierarchy, allowing for testing and validation of deployments without disrupting current production workloads.
Additional post-quantum capabilities, including ML-KEM and composite algorithm support, are slated for release later this year, aiming to enhance certificate interoperability beyond signing scenarios. This advancement transcends the mere addition of a new certificate type; it establishes a practical pathway for organizations to transition toward a quantum-safe future. By enabling the generation and validation of these certificates natively within ADCS, Microsoft streamlines the integration process, reducing complexity and minimizing the potential for errors associated with external or specialized solutions.
For security teams, this development offers a tangible starting point for identifying long-lived data at risk, such as document repositories, email archives, and backup systems, thereby prioritizing the implementation of quantum-safe protections. Microsoft emphasizes the ultimate goal of fostering crypto-agility within organizational processes, ensuring that future cryptographic transitions are more manageable and less disruptive.
The most effective migrations will be phased. Organizations should start by inventorying where public-key cryptography is used, prioritizing systems that protect sensitive data with long confidentiality lifetimes, and testing hybrid and composite approaches in non-production environments.
Mitigating Harvest Now, Decrypt Later (HNDL) Risks with PQC
The rising threat of “Harvest Now, Decrypt Later” (HNDL) attacks is prompting a proactive shift in cryptographic security, and Microsoft’s recent advancements within the Windows operating system signify a substantial step toward addressing these long-term risks. Rather than waiting for the emergence of practical quantum computers, the company is embedding post-quantum cryptography (PQC) directly into core platform components, enabling organizations to begin securing data against future decryption attempts.
This initiative extends beyond merely having PQC algorithms available; it encompasses the integration of support into the protocols and infrastructure already in use. A notable development is the incorporation of Active Directory Certificate Services (ADCS) with the ability to generate post-quantum certificates. Organizations can implement a parallel CA hierarchy alongside existing infrastructure to test and validate deployments without disrupting production workloads. The available hybrid combinations—X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1_MLKEM1024—combine classical algorithms with the NIST ML-KEM algorithm, safeguarding against both current and future threats.
These composite algorithms enhance security by necessitating that an adversary compromises all components to decrypt protected data, simplifying the complexity of combining multiple algorithms while fortifying resilience. This work aligns with ongoing efforts within IETF drafts for composite ML-DSA and ML-KEM, merging traditional algorithms with their post-quantum counterparts. Collectively, these advancements provide a clear foundation for organizations to embrace quantum-safe cryptography and cultivate crypto-agility within their processes, ensuring that future transitions are more manageable.
Stay current. See today’s quantum computing news on Quantum Zeitgeist for the latest breakthroughs in qubits, hardware, algorithms, and industry deals.
