GitHub

News from IT House June 3, Microsoft announces Windows 11 and Windows Server 2025 introduced a new round of PQC capabilities to help the organization reduce the risk of stealing and decrypting (HNDL).

This update has brought quantum safety from algorithm to algorithm. API Levels extend to protocols and platform components, including the inclusion of PQ TLS hybrid key exchange in Windows TLS protocol stacks, support for composite PQC algorithms in Windows Password API, and post-quantitative certificates issued through Active Directory Certificate Service (ADCS).

Among them, the ML-DSA certificate issuance function for ADCS was officially online in May 2026, and the TLS hybrid key exchange and composite algorithm is currently in the preview stage and is expected to be widely available in the coming months.

PQ TLS Mixed Key Exchange allows the data being transferred to receive direct quantum security protection. Microsoft has introduced three combinations in Windows TLS stacks, each pairing a classic algorithm with the NIST standard post-quantitative algorithm ML-KEM, X25519 MLKEM768, SecP256r1 MLKEM768 and SecP384r1 MLKEM1024, respectively. IT administrators can enable these options through a variety of tools, including group policy, mobile device management (MDM, e.g., Intune) or TLS PowerShell cmdlets.

This feature has been made available in the Windows Insider preview channel, which is used to assess deployment in the real Windows raw environment in preparation for a quantum safety migration strategy.

In terms of password API, Windows Crystal API Next General and certificate functions are adding support for complex ML-KEM and complex ML-DSA, following the IETF correspondence draft, combining traditional ECDSA digital signature algorithms with ML-DSA, traditional ECDHE key exchange algorithms and ML-KEM. The compound algorithm requires the attackers to break through all components in order to threaten protected data, and the built-in combination approach reduces the risk of inappropriate integration.

These capabilities are also available through the Windows Insider preview, which will be officially released in the coming months with Windows 11 and Windows Server 2025, enabling developers and security architects to design and validate prototypes in practical certificate and signature models.

In addition, the ADCS function of issuing a post-quanture certificate is officially available in Windows Server 2025. ADCS supports three sets of parameters: ML-DSA-44, ML-DSA-65, ML-DSA-87, which can be used for such scenarios as code signatures and TLS certificates. Since the existing certification authority (CA) could not be upgraded directly, a new parallel CA level would need to be deployed to test and validate the post-quant certification and trust verification process.

Microsoft also plans to add ML-KEM and compound algorithm support later this year to extend quantum security from signature scenes to a broader area of certificate interoperability.

The IT House was officially informed that the above-mentioned progress was based on Microsoft ' s previous work. Last November, the PQC algorithm was fully available on Windows 11 and Windows Server 2025, this time to further introduce quantum security capabilities into the actual use of protocols and certificates.

Microsoft notes that for many organizations these functions provide a clear starting point for the use of quantum security encryption. The security team can begin to take an inventory of the use of public key encryption, prioritize systems that involve long-term confidential data, such as document libraries, mail filing, databases and backup storage, and test assets that rely on TLS and certificate trust; developers can test new algorithm support in controlled environments; and IT administrators can prepare in advance operational changes such as certificate policy, equipment strategy and encryption list management.

According to Microsoft, the future road map will also cover the areas of passwordless experiences such as IPsec, Wi-Fi network protection, TLS and Kerberos authentication, Windows Hello and pass keys, and platform protection such as BitLocker, software and solidware signatures, some of which will land this year, with further progress planned for 2027.

Advertising statements: The external jump links (including not limited to hyperlinks, 2D codes, passwords, etc.) contained in the text are used to convey more information and save time for selection purposes only for reference purposes, which are included in all IT House articles.