Companion guide: Transitioning to post-quantum cryptography

Whether you joined us live or are catching up afterward, this companion guide brings together all the resources, links, and deeper dives referenced during the Microsoft Technical Takeoff session on Transitioning to post-quantum cryptography. Think of it as your follow‑along toolkit: everything you need to explore key topics, revisit demos, and continue learning at your own pace. Use it to jump straight to the details that matter most to you or to share highlights with your team. 

Industry standards: 

NIST standardized the first set of PQC algorithms ​ 

• FIPS 203 Key Encapsulation Mechanism (ML-KEM)​ 

• FIPS 204 Digital Signature Standard (ML-DSA)​ 

• FIPS 205 Hash Based Digital Signature Standard (SLH-DSA) 

• NIST SP 800-208 Stateful Hash-Based Signature Schemes (LMS, XMSS) 

Last year, Microsoft added post-quantum cryptography algorithms to SymCrypt, Microsoft’s core cryptographic library.  

• Read the announcement: Microsoft's quantum-resistant cryptography is here 

• Direct callers can leverage Cryptography API: Next Generation (CNG) libraries and Certificate and Cryptographic messaging functions in Windows Server 2025 (and later) and Windows 11. 

• Request ML-DSA server certificates with Microsoft Active Directory Certificate Services (ADCS).  

• Windows TLS Stack (Schannel): TLS hybrid key exchange per the latest IETF internet draft is now available for preview in the Windows Insider Program and coming soon to Windows Server. 

• Additional algorithms coming to SymCrypt as global standards and compliance regulations mature. 

When available, ML-KEM hybrid groups can be enabled and prioritized on devices using the same mechanisms as existing TLS ECC curves. To learn more, see Manage Transport Layer Security (TLS) in Windows Server. 

Additional resources: 

• Post-Quantum Cryptography APIs Now Generally Available on Microsoft Platforms 

• Windows 11 Security Book