Microsoft Pulls Post-Quantum Deadline Forward to 2029

Azure CTO Mark Russinovich says the 'risk horizon' has moved. Redmond now wants PQC-ready systems four years ahead of the industry's 2033 target.

ThreatVectr Newsdesk· 2 min read
Microsoft Pulls Post-Quantum Deadline Forward to 2029
Share

Microsoft is pulling its post-quantum cryptography deadline forward by roughly four years, citing faster-than-expected progress in quantum computing research.

In a Tuesday post, Azure chief technology officer Mark Russinovich said the company will aim to have quantum-safe algorithms deployed across its products by 2029, ahead of the 2033 timeline set by most national cybersecurity agencies.

"Advances in quantum research and development have shifted the risk horizon," Russinovich wrote. The message: harvest-now-decrypt-later attacks are no longer a theoretical concern for a distant decade.

The threat model is familiar to anyone tracking the space. Adversaries — nation-state operators in particular — are widely believed to be siphoning encrypted traffic today with the expectation that a sufficiently capable quantum computer will crack it later. RSA and elliptic-curve cryptography, the backbone of TLS, VPNs and code signing, are the targets. Symmetric algorithms like AES-256 fare better but still take a haircut.

Microsoft's plan leans on the algorithms NIST finalised last year: ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA as a hash-based signature backup. All three are already showing up in the company's cryptographic library, SymCrypt, which underpins Windows and Azure.

Russinovich framed the acceleration as a supply-chain problem more than a math problem. Rolling out new algorithms across hardware security modules, TLS stacks, PKI hierarchies and firmware signing takes years. Waiting until a quantum computer exists is waiting too long.

The 2029 target lines up loosely with recent guidance from Western agencies that have grown more assertive on timelines. The UK's National Cyber Security Centre published a three-phase migration roadmap earlier this year calling for discovery by 2028 and full migration by 2035. The US National Security Agency's CNSA 2.0 suite requires software and firmware signing to be quantum-safe by 2025 for national security systems, with broader deadlines through 2033.

Redmond is now firmly in the earlier camp.

What customers should expect first: PQC options in Azure Key Vault, hybrid key exchange in TLS connections to Microsoft services, and quantum-safe signing in Windows update infrastructure. Hybrid modes — running classical and post-quantum algorithms in parallel — will do most of the heavy lifting during the transition.

The practical question for enterprises is inventory. Most organisations don't know where their cryptography lives. Certificate stores, embedded devices, third-party SaaS integrations and legacy applications all hold keys that will need to be rotated onto new algorithms. Microsoft's shifted deadline puts pressure on vendors down the stack to move on similar timelines.

Russinovich's post did not disclose whether the 2029 target is internal-only or extends to on-premises Windows Server and Active Directory deployments, where cryptographic agility has historically lagged.

© 2026 Threat Vectr