Skip to main content
CybersecurityVulnerability Management

Microsoft Accelerates Post-Quantum Cryptography Push by 2029

Researcher works on cryptography prototype in bright laboratory setting.

"This is a recognition that the transition to quantum-safe cryptography is a multi-year engineering effort that benefits from early planning and action, and delaying that work increases both cost and risk," CTO Mark Russinovich wrote in a June 30 blog post explaining why Microsoft is accelerating its timetable for post-quantum cryptography.

Why Microsoft moved its deadline to 2029

Microsoft says advances in quantum research and development have altered the company's "risk horizon" and prompted an earlier migration to post-quantum cryptography (PQC). In the blog post, Russinovich said "cryptographically relevant quantum computers (CRQCs) capable of cracking asymmetric encryption could appear sooner than anticipated," and that Microsoft will move "critical products and services" to PQC by 2029. He also noted recent government guidance — including from the United States and France — urging adoption of quantum-safe cryptography "as early as 2030 in certain high-risk systems," which Microsoft interprets as confirmation that a broader transition is already underway.

Microsoft's three technical pillars for the transition

Microsoft outlines the migration on three engineering fronts:

  • Upgrade network cryptography to TLS 1.3, which the company says supports hybrid and post-quantum key exchange for secure data in transit.
  • Build crypto-agility for data at rest so algorithms can be updated with minimal service disruption or application changes — by making cryptographic settings configurable outside applications, standardizing key management and rotation, and eliminating hard-coded algorithms.
  • Modernize the crypto trust chains that underpin software, devices, and services, including hardware-backed key protection, updated certificate lifetimes and policies, and auditable signing and issuance processes for critical trust anchors. Microsoft said it will transition to PQC algorithms when they are available.

How the Secure Future Initiative and Quantum Safe Program fit together

Microsoft is accelerating the Microsoft Quantum Safe Program (QSP) timeline and folding PQC work into its Secure Future Initiative (SFI). Russinovich said SFI will help customers transition to quantum-safe systems sooner. The company framed the move not only as forward planning for quantum threats but as an opportunity to improve current cryptographic hygiene and system resilience.

The risk drivers: CRQCs and "harvest now, decrypt later"

Russinovich warned that long-lived, sensitive data is a focus for customers because it may already be vulnerable to "harvest now, decrypt later (HNDL) attacks." The combination of accelerating quantum R&D and data that must remain confidential for many years forms the core of Microsoft's urgency: CRQCs could render today's asymmetric encryption vulnerable, and data captured today could be decrypted in the future once quantum capability becomes available.

Practical steps Microsoft recommends organizations take today

Russinovich emphasized discovery and prioritization, noting that "most organizations lack clear visibility into where cryptography exists across applications, infrastructure, and legacy systems," which makes discovery and lifecycle management the primary challenge. He suggested concrete starting points:

  • Define ownership, scope, and milestones for a multi-year cryptography transition.
  • Build crypto-agility into new systems to streamline adoption of future standards.
  • Create and maintain a living cryptographic inventory to identify, prioritize, and modernize dependencies.
  • Adopt modern standards such as TLS 1.3 as a baseline across client and server systems.

What this means for technologists, procurement leaders, and end users

Technologists and security teams: Expect to prioritize cryptographic discovery, inventory work, and building or retrofitting crypto-agility so algorithms and key management can be updated with minimal disruption, per Microsoft’s guidance.

Procurement leaders and enterprise architects: Microsoft’s stated 2029 target for "critical products and services" and the cited government guidance pointing to 2030 for certain high-risk systems signal a compressing procurement timeline for quantum-safe capabilities and contractual expectations around certificate and key management.

End users and the general public: The immediate effects are indirect — Microsoft frames early work as reducing current operational risk by finding and fixing cryptographic gaps today, while also preparing to protect long-lived data against potential future decryption.

Microsoft's announcement reframes the migration to PQC from a distant eventuality to a multi-year engineering program that begins with inventory, policy, and architecture work now. The company has tied its internal timelines to what it describes as a shifting external risk picture and urges organizations to treat the transition as an urgent, planned engineering effort rather than a someday upgrade.

Original story