Key insight
Much of the Microsoft PQC story is real today. SymCrypt (the core engine) implements ML-KEM and ML-DSA, and Windows CNG surfaces them. .NET adds MLKem, MLDsa, SlhDsa types — some marked experimental (opt-in diagnostic), meaning the API may shift, not that the maths is weak; on Linux they need OpenSSL 3.5+. Microsoft.Bcl.Cryptography back-ports to older frameworks. AD CS adds ML-DSA certs (Phase 1), then ML-KEM + Composite ML-DSA (Phase 2). Schannel adds hybrid TLS key exchange, usually disabled by default.
On a modern, patched Windows + .NET box you can experiment with standardised PQC today — the “experimental” labels mean pin your versions, not distrust the cryptography.
SymCrypt & Windows CNG
Microsoft’s core cryptographic engine, SymCrypt, implements the NIST PQC algorithms including ML-KEM (key establishment) and ML-DSA (signatures). Windows’s crypto layer, CNG (Cryptography Next Generation), sits on top of SymCrypt — so those algorithms flow up into Windows through the same interfaces developers have used for years.
.NET cryptography types
Modern .NET adds types that map onto the standards: MLKem, MLDsa, and SlhDsa. Some are marked experimental (in .NET, an opt-in diagnostic such as SYSLIB5006) — you must acknowledge the API may change. That label is about the interface settling, not weak cryptography; the algorithms are standardised.
Under the covers these use the platform provider: on Windows, CNG/SymCrypt; on Linux, a recent OpenSSL 3.5+ that implements the algorithms. For older .NET Framework apps, Microsoft.Bcl.Cryptography bridges some capabilities back.
AD CS certificates
Active Directory Certificate Services (AD CS), used by many organisations to issue certificates, gains PQC in phases:
| Phase | Adds |
|---|---|
| Phase 1 | Issue certificates using ML-DSA signatures |
| Phase 2 | ML-KEM support and Composite ML-DSA (a cert carrying classical + PQC signatures together) |
Composite is the hybrid, belt-and-suspenders idea again — trust survives even if one scheme is later weakened.
Schannel TLS hybrid
Windows’s built-in TLS stack, Schannel, gains post-quantum hybrid key exchange — combining a classical elliptic-curve exchange with ML-KEM. In early releases this is typically disabled by default and enabled deliberately, because servers and middleboxes are still catching up; turn it on where you know both ends cope.
What to try first
- In a test environment, generate an ML-KEM key pair and do a round-trip encapsulate/decapsulate with the .NET types.
- Sign and verify with
MLDsa; note the larger signature sizes versus ECDSA. - On Linux, confirm OpenSSL 3.5+ is present before expecting the types to work.
- Enable Schannel hybrid key exchange between two hosts you control and watch the handshake.
- SymCrypt
- Microsoft’s core cryptographic library, now implementing ML-KEM/ML-DSA.
- CNG
- Cryptography Next Generation — Windows’s cryptography API layer.
- Composite ML-DSA
- A certificate carrying both a classical and a PQC signature.
- Schannel
- Windows’s built-in TLS/SSL implementation.
- Experimental API
- An interface that may change; in .NET, an opt-in diagnostic (e.g. SYSLIB5006).
- NIST (National Institute of Standards and Technology) / PQC (Post-Quantum Cryptography)
- The standards body and the quantum-resistant algorithm family SymCrypt implements.
- ML-KEM / ML-DSA
- The lattice-based standards SymCrypt exposes: ML-KEM (Module-Lattice Key-Encapsulation Mechanism) for key exchange and ML-DSA (Module-Lattice Digital Signature Algorithm) for signatures.
- AD CS (Active Directory Certificate Services)
- Microsoft’s certificate-issuing service, gaining ML-DSA then ML-KEM and Composite ML-DSA support.
- TLS (Transport Layer Security) / ECDSA (Elliptic-Curve Digital Signature Algorithm)
- The protocol Schannel secures, and the classical signature scheme whose sizes ML-DSA dwarfs.
What to carry forward
- SymCrypt + CNG put PQC into Windows through familiar interfaces.
- .NET ships
MLKem/MLDsa/SlhDsa— some experimental (pin versions); Linux needs OpenSSL 3.5+;Microsoft.Bcl.Cryptographyback-ports. - AD CS: ML-DSA certs first, then ML-KEM + Composite ML-DSA.
- Schannel hybrid TLS is real but usually off by default.
- “Experimental” = unsettled interface, not weak cryptography.
Next: Governance, Compliance & the Exec Report → — reporting up.
Understand it in your own words
Paste into any AI assistant to check yourself:
I'm learning how PQC shows up on the Microsoft platform. Quiz me one question
at a time, correcting me gently:
1. What is SymCrypt, and how do its PQC algorithms reach Windows apps?
2. Name the three new .NET PQC types and what each is for.
3. What does "experimental" mean for these .NET APIs — is the maths unsafe?
4. What does each AD CS phase add, and what is Composite ML-DSA?
5. Why is Schannel's hybrid key exchange usually disabled by default?
References & further reading
- Microsoft, Post-quantum cryptography comes to Windows Insiders and Linux (SymCrypt, CNG). techcommunity.microsoft.com
- Microsoft Learn, Post-quantum cryptography in .NET (MLKem, MLDsa, SlhDsa; SYSLIB5006). learn.microsoft.com/dotnet
- Microsoft, SymCrypt open-source library. github.com/microsoft/SymCrypt
- NIST, FIPS 203 (ML-KEM), 204 (ML-DSA), 205 (SLH-DSA). csrc.nist.gov