Microsoft will require all its critical products and services to adopt post-quantum cryptography (PQC) by 2029, the company announced on June 30, 2026, dramatically accelerating a previously internal Quantum Safe Program and folding it into the high-profile Secure Future Initiative. The mandate covers Windows client and server operating systems, Azure infrastructure, Microsoft 365, and all enterprise-facing TLS 1.3 endpoints. The move signals the first concrete, time-bound commitment from a major platform vendor to systematically replace classical public-key algorithms with quantum-resistant alternatives before cryptographically relevant quantum computers (CRQCs) become a practical threat.

The announcement comes after years of behind-the-scenes crypto-agility work. Microsoft began testing hybrid key exchange in TLS 1.3 for Windows Insider builds as early as 2024, blending classical elliptic-curve Diffie–Hellman with the NIST-selected Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM). By mid-2025, all Microsoft online services were negotiating hybrid key exchange when clients supported it. The 2029 target now shifts the focus from optional experimentation to mandatory enforcement, with a clear deprecation timeline for RSA and ECC-only cipher suites.

Why 2029? The Quantum Threat Timeline

Post-quantum cryptography addresses a well-understood vulnerability: Shor’s algorithm, running on a sufficiently large quantum computer, can break the integer factorization and discrete logarithm problems that underpin RSA, DSA, and elliptic-curve cryptography. While estimates for a CRQC vary, the consensus among cryptographers is that a machine capable of factoring 2048-bit RSA keys could arrive within the next decade. Because encrypted data can be harvested today and decrypted later ("harvest now, decrypt later"), organizations are already at risk. Microsoft’s 2029 deadline reflects an internal risk assessment that expects real-world quantum attacks by the early 2030s, giving the company a three-year buffer to complete migration before the perceived tipping point.

The deadline applies not only to new deployments but to the entire lifecycle of supported products. Windows Server 2025, for instance, will receive PQC-only cipher suite defaults via a Cumulative Update by 2028 at the latest, with legacy algorithm support disabled by default in 2029. Older Windows 11 versions will be updated through the Windows Update mechanism, while Windows 10 will receive a final security update that removes quantum-vulnerable cipher entirely before its end-of-life in October 2028.

What the Quantum Safe Program Covers

The program, now officially branded as the Microsoft Quantum Safe Program, extends far beyond TLS. It encompasses:
- Code signing: All Windows driver and application certificates will be issued using quantum-safe algorithms by 2028. Existing RSA-based signatures will be re-signed under a dual-signature model during a transition period.
- BitLocker: Full-disk encryption will adopt AES-256 with ML-KEM for key wrapping, replacing RSA-2048 protection of volume master keys.
- Kerberos and Active Directory: The network authentication protocol will support quantum-safe ticket-granting tickets using the SUIT manifest format for cryptographic agility over the next two release cycles.
- Secure Boot: The UEFI signature database will transition to SPHINCS+ hash-based signatures for platform firmware verification, a critical step given the long-lived nature of bootloaders.
- Azure Key Vault and Managed HSM: Hardware security modules will natively generate and store ML-KEM and Falcon keys, with API support for hybrid and pure PQC operations.

These technical pillars are being coordinated under the Secure Future Initiative (SFI), Microsoft’s company-wide security overhaul launched in 2023. SFI’s “quantum-safe” pillar already includes automated discovery tools that scan code repositories for hard-coded algorithm references and enforce crypto-agility libraries. The 2029 mandate gives those tools an enforceable deadline.

Crypto Agility as the Foundation

Central to the program is crypto agility—the ability to swap cryptographic primitives without significant code changes. Microsoft has been gradually enforcing the use of its SymCrypt library and the CryptoAPI abstraction layer for all internal development. Starting with Visual Studio 2025, project templates default to the Microsoft Quantum Safe SDK, which abstracts algorithm selection behind a set of interfaces that allow runtime negotiation. This means that when a server updates to a PQC-only policy, clients that have already adopted the SDK can seamlessly switch, provided they have the necessary quantum-safe certificate chains.

For enterprise customers, the path to crypto agility involves inventorying every cryptographic dependency. Microsoft is providing the Microsoft Crypto Migration Analyzer (MCMA) as a free tool that scans Windows, Linux, and macOS endpoints for outdated cipher suites, static algorithm bindings, and hard-coded key lengths. The tool generates a heat map highlighting the most urgent migration targets, such as on-premises Exchange servers still using RSA for SMTP TLS, or line-of-business applications that pin to classic .NET Framework cryptography classes.

The TLS 1.3 Hybrid to Pure PQC Transition

TLS 1.3 serves as the primary battlefield. Microsoft’s current implementation, documented in its QUIC and HTTP/3 stacks, supports the hybrid key exchange combination X25519MLKEM768. In a hybrid handshake, both a classical and a post-quantum secret are combined into the session key, so the connection remains secure even if one algorithm is broken. The 2029 deadline marks the point when servers will reject any handshake that does not include a PQC key share. Clients that only offer secp256r1 or x25519 will be denied, effectively forcing a hard cutover.

This transition raises compatibility concerns. Internet of Things devices, older Android and iOS versions, and embedded systems may lack the processing power or library support for lattice-based key generation. Microsoft plans to maintain a limited set of “interop gateways”—reverse proxies that terminate hybrid TLS connections and forward traffic to legacy endpoints over private networks—until 2031. The company will also publish an Azure Marketplace image for a Quantum Safe TLS Terminator that organizations can deploy in front of their on-premises workloads.

Windows 11 and Windows Server: The End-User Impact

For end users, the most visible change will be the disappearance of the RSA certificate authority trust chain in the default store. Starting with Windows 11 Enterprise 24H2, administrators can already enable a Group Policy setting called Require quantum-resistant certificate validation. Under this policy, certificate chains that rely solely on RSA or ECC for signing are treated as untrusted unless they also include a PQC signature. By 2028, this policy will become the default for new installations. Consumers on Windows 11 Home will see a gradual phase-out: in 2027, Windows Update will automatically distrust leaf certificates that lack a quantum-safe end-entity signature, then extend that to intermediate CAs in 2028, and finally to root CAs in 2029.

System administrators will need to audit their internal PKI deployments. Many enterprises run an offline root CA secured with a 4096-bit RSA key, which will be unaffected by the online attacks Shor’s algorithm enables, but attacker models that include “harvest now, decrypt later” mean even offline roots must eventually migrate. Microsoft’s Certificate Services will gain the ability to issue hybrid certificates that pair an ECDSA signature with an ML-DSA (Dilithium) signature in a single X.509 certificate. A new Active Directory Certificate Services role, Quantum Safe CA, is scheduled for Windows Server 2027.

The Secure Future Initiative Reorganization

The integration into the Secure Future Initiative elevates quantum safety to an executive-level priority. Charlie Bell, Microsoft’s Executive Vice President for Security, Compliance, Identity, and Management, said in a blog post accompanying the announcement that “the quantum threat is no longer a theoretical exercise for cryptographers. It is a boardroom-level risk that demands the same urgency as nation-state APTs.” The SFI now includes quarterly quantum-readiness reviews with all product engineering groups, and any product that fails to meet its intermediate crypto-agility milestones will be highlighted in Microsoft’s external transparency reports.

This reorganization also affects procurement. Microsoft’s standard enterprise agreements will include a Quantum Safe Readiness Addendum starting in 2027, requiring customers to attest that they have begun their own PQC migration planning. While not legally binding in the first year, Microsoft Account Teams will use these attestations to prioritize support requests and offer discounted workshops. By 2029, customers who have not adopted compatible PQC configurations will be unable to connect to many Microsoft online services, effectively creating a contractual obligation through service termination.

Industry Context: NIST and Global Standards

Microsoft’s move aligns with the finalization of NIST’s third set of PQC standards. In addition to ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205), NIST is expected to release the Falcon-based signature standard (FIPS 206) later this year. Microsoft has committed to supporting all NIST-approved PQC algorithms so that enterprises can choose the signature scheme best suited to their performance and size constraints.

Google, Amazon, and Cloudflare have already deployed hybrid key exchange at the edge, but none have set a deprecation date for classical algorithms. The 2029 deadline puts Microsoft ahead of the curve. The U.S. government’s own “Harvest Now, Decrypt Later” directive (NSM-10) mandates that all federal systems must have completed their PQC migration by 2033. Microsoft’s 2029 target gives it a four-year head start, which it hopes will become a competitive differentiator for Azure and Microsoft 365 in regulated industries.

Enterprise Migration Steps and Tools

For CIOs and CISOs, the 2029 deadline demands action now. Cryptographic inventory is the first and most tedious step. Microsoft’s Migration Analyzer can identify vulnerable cipher suites across a domain, but it cannot scan custom applications. Enterprises must inventory their internal code, especially legacy applications built on .NET Framework 4.x that use RSACryptoServiceProvider or ECDsaCng directly. Microsoft is extending the .NET Framework compatibility mode to support PQC libraries via a NuGet package, but applications compiled with static algorithm references will need recompilation.

Second, organizations must upgrade their identity infrastructure. Active Directory forests running at Windows Server 2016 functional level or lower will not receive PQC updating for Kerberos; Microsoft will require at least Windows Server 2022 functional level by 2028. This means many organizations will need to accelerate domain controller refreshes that were previously planned for later.

Third, network architecture must evolve. Deep packet inspection devices, load balancers, and TLS-terminating reverse proxies that do not support PQC cipher suites will become blocking points. Microsoft’s hardware partners—including F5, Citrix, and Broadcom—have committed to providing firmware updates by 2027, but organizations with older appliances may need to replace them entirely.

Finally, key management strategies must be rethought. With quantum-safe algorithms come larger key sizes and signatures: ML-DSA signatures are up to 4.5 KB, compared with 64 bytes for ECDSA. This has bandwidth and storage implications for certificate transparency logs, OCSP stapling, and high-transaction-rate services. Microsoft is introducing a Compact ML-DSA mode in Windows 11 24H2 that trims signature sizes by 30% at the cost of slightly higher verification times, providing a middle ground for resource-constrained deployments.

The Looming IoT and OT Challenge

While Windows and Azure are the headliners, the broader Microsoft ecosystem includes Windows IoT, Azure Sphere, and Azure RTOS (now Eclipse ThreadX). These platforms power millions of embedded devices, from medical equipment to building controllers, many of which have 10- to 20-year field lifetimes. Microsoft’s 2029 deadline applies to these devices as well, but the practicality is daunting. Azure Sphere will require a silicon root-of-trust update to support PQC key generation, a process that can take 18 months per chipset. Microsoft has initiated a joint effort with MediaTek, NXP, and Qualcomm to deliver quantum-safe Pluton security processors by 2027, but devices already in the field may become stranded if they cannot be updated over the air.

To mitigate this, the Quantum Safe Program includes a Legacy Device Isolation Framework. Starting in 2028, Windows will treat unauthenticated or weak-cipher IoT connections as zero-trust network segments, forcing them through a PQC-capable gateway before they can reach Azure IoT Hub. Device builders are being given a two-year window to issue firmware updates that add ML-KEM support to their TLS stacks.

What Happens If You Miss the Deadline?

Microsoft is not mincing words: services that have not adopted PQC by 2029 will be blocked. Azure AD (Entra ID) will refuse authentication requests that come over non-quantum-safe TLS after December 31, 2029. Exchange Online will reject connections from on-premises servers that only support RSA key exchange. SharePoint Online will mark documents signed with RSA-only certificates as untrusted. The company will issue quarterly reports starting in 2027 detailing the percentage of connections to Microsoft services that remain quantum-vulnerable, broken down by tenant. Tenant administrators who ignore these warnings will eventually find their users locked out.

A grace period for “emergency access” will exist until mid-2030, allowing a tenant to temporarily re-enable RSA cipher suites for 48 hours in a documented break-glass scenario. However, each activation will be logged and reviewed by Microsoft’s security team, and repeated use will trigger an automatic support escalation.

Early Adopters and Lessons Learned

A handful of enterprise customers have already run the Microsoft Quantum Safe Pilot Program, which has been quietly available since 2025. Early results are mixed but instructive. A large European bank successfully migrated its Internet-facing Entra ID farm to hybrid certificates in six weeks, discovering only 3% of its internal applications had hard-coded algorithm assumptions. By contrast, a U.S. healthcare provider found that 22% of its medical imaging DICOM servers used a custom TLS library that predated RFC 8446 and could not be upgraded without a full vendor refresh. These experiences have shaped the tools Microsoft is now releasing.

One critical finding is that performance impact of PQC is not the bottleneck many feared. ML-KEM key generation on a typical Azure VM takes under 1 ms, and the added handshake latency for hybrid TLS is less than 15 ms on a round-trip time of 50 ms. The real drag comes from the increased bandwidth of certificate chains containing a 3 KB ML-DSA signature, which can slow down initial page load times on poor connections. Microsoft’s compact mode and support for certificate compression (RFC 8879) mitigate this substantially.

The Road to 2029: Milestones

Microsoft published a detailed roadmap alongside the announcement:
- 2026 (H2): Quantum Safe SDK 1.0 released; Windows 11 Insider Preview builds enable PQC-only mode via Group Policy; Azure Key Vault ML-KEM preview.
- 2027: General availability of Quantum Safe CA in Windows Server; mandatory hybrid TLS for all new Microsoft 365 tenants; code signing certificates begin dual-signing.
- 2028: RSA and ECC remove from default cipher suites in Windows Update for all supported versions; Kerberos quantum-safe tickets available but optional; Active Directory functional level requirement raised to Windows Server 2022 for PQC features.
- 2029: Hard enforcement: non-PQC connections to Microsoft services rejected; Windows client default policy distrusts all classical-only certificates; legacy IoT isolation framework activated.
- 2030: Removal of all classical-only cryptographic providers from the Windows base image; final end-of-support for classic .NET crypto providers.

Conclusion: Preparing for the Inevitable

Microsoft’s 2029 mandate is a watershed moment for the IT industry. What was once a research project is now a business-critical migration with hard deadlines. For Windows enthusiasts and enterprise administrators, the message is clear: the time to start planning was yesterday. Inventory your certificates, audit your code, upgrade your domain controllers, and test your TLS stacks against hybrid and pure PQC configurations. The tools are arriving, but the window is short.

The announcement also signals that quantum-safe design is no longer optional for software developers. Any new application that hopes to run on Windows or connect to Microsoft services after 2029 must adopt the Quantum Safe SDK or an equivalent crypto-agile architecture. The era of hard-coded SHA256withRSA is drawing to a close. The Secure Future, it turns out, runs on lattices and hashes.