Microsoft has integrated post-quantum cryptographic (PQC) capabilities into both Windows Insider Canary Channel builds and Linux environments via its SymCrypt cryptographic library. This early-access release enables developers and organizations to evaluate the performance, compatibility, and deployment strategies of PQC algorithms in preparation for quantum-era threats. These updates are part of Microsoft’s broader goal to support secure transitions as NIST PQC standards become operational.
The update introduces support for ML-KEM (key encapsulation) and ML-DSA (digital signatures) within the Windows Cryptography API: Next Generation (CNG). Developers can now experiment with hybrid deployments using both post-quantum and traditional cryptographic algorithms. Microsoft recommends hybrid approaches during this transitional phase, prioritizing NIST Level 3 or higher where appropriate. The new Windows builds also support PQC-enabled certificate chains, import/export operations, and trust validation using ML-DSA.
On Linux, the SymCrypt provider for OpenSSL v1.9.0 enables experimentation with TLS hybrid key exchange mechanisms based on the latest IETF draft. Users can test how PQC integration affects handshake message size, latency, and overall connection performance. Microsoft emphasized that PQC implementations are based on evolving standards and that updates will be issued as protocols and interoperability requirements mature.
Additional developments are planned, including extending PQC support to the Windows TLS stack (Schannel), Microsoft Active Directory Certificate Services (ADCS), and Intune Certificate Connector workflows. Composite and hybrid PQC deployments are prioritized to maintain compatibility with legacy systems during the transition.
Microsoft reiterated the need for “crypto agility”—the ability to upgrade cryptographic systems flexibly as algorithms and standards evolve. Although PQC algorithms such as ML-KEM and ML-DSA may introduce performance trade-offs, the company is working on optimization techniques, including hardware acceleration for Keccak-based primitives.
For more technical details, see Microsoft’s full announcement here.
May 21, 2025
