In response to mandates by the U.S. and French governments regarding Post-Quantum Cryptography (PQC) migration, and also because progress in quantum computing is accelerating, Microsoft has moved its PQC migration deadline to 2029.
Microsoft began speaking about PQC in 2023, and formalized its migration strategy in the Microsoft Quantum Safe Program (QSP), details of which were published on its blog last year. At the time, the company had targeted 2033 as the deadline for quantum-safe migration.
The announcement yesterday sees Microsoft accelerating its timeline by 4 years. The company said it plans to transition critical products and services to PQC by 2029, and is also incorporating PQC requirements into the Secure Future Initiative (SFI). Microsoft has listed its priorities as being in 3 main areas:
1. Upgrade network cryptography (data in transit)
This consists of modernizing network cryptography, for example, adopting TLS 1.3 to a baseline that enables hybrid and post-quantum key exchange as standards mature. Therefore, critical endpoints will negotiate TLS 1.3 by default, with legacy protocol use reduced or eliminated wherever possible.
2. Build crypto-agility for stored data (data at rest)
Microsoft will focus on crypto-agility by making cryptographic settings configurable outside of the application, standardizing key management and rotation, and eliminating hard-coded algorithms.
3. Modernize cryptographic trust chains (identity, signing, certificates)
According to Microsoft, the most complex work will take place in securing the chains of trust that underpin software, devices, and services at scale. That includes code signing, certificate issuance, key protection, and update pipelines. Practically, this will mean hardware-backed key protection, updated certificate lifetimes and policies, and auditable signing and issuance processes for critical trust anchors, with a transition to PQC algorithms as they become available.


