Key insight

Much of the Microsoft PQC story is real today. SymCrypt (the core engine) implements ML-KEM and ML-DSA, and Windows CNG surfaces them. .NET adds MLKem, MLDsa, SlhDsa types — some marked experimental (opt-in diagnostic), meaning the API may shift, not that the maths is weak; on Linux they need OpenSSL 3.5+. Microsoft.Bcl.Cryptography back-ports to older frameworks. AD CS adds ML-DSA certs (Phase 1), then ML-KEM + Composite ML-DSA (Phase 2). Schannel adds hybrid TLS key exchange, usually disabled by default.

In one sentence

On a modern, patched Windows + .NET box you can experiment with standardised PQC today — the “experimental” labels mean pin your versions, not distrust the cryptography.

SymCrypt & Windows CNG

Microsoft’s core cryptographic engine, SymCrypt, implements the NIST PQC algorithms including ML-KEM (key establishment) and ML-DSA (signatures). Windows’s crypto layer, CNG (Cryptography Next Generation), sits on top of SymCrypt — so those algorithms flow up into Windows through the same interfaces developers have used for years.

Microsoft crypto stack SymCrypt at the base, CNG above it, then .NET types, AD CS, and Schannel all drawing on it. SymCrypt engine (ML-KEM, ML-DSA) Windows CNG .NET types AD CS certs Schannel TLS
One engine underneath; PQC surfaces through familiar interfaces.

.NET cryptography types

Modern .NET adds types that map onto the standards: MLKem, MLDsa, and SlhDsa. Some are marked experimental (in .NET, an opt-in diagnostic such as SYSLIB5006) — you must acknowledge the API may change. That label is about the interface settling, not weak cryptography; the algorithms are standardised.

Under the covers these use the platform provider: on Windows, CNG/SymCrypt; on Linux, a recent OpenSSL 3.5+ that implements the algorithms. For older .NET Framework apps, Microsoft.Bcl.Cryptography bridges some capabilities back.

Practical tip: because APIs marked experimental can change between releases, pin your SDK and package versions and isolate PQC code behind your crypto abstraction layer so an interface change is a one-file edit.

AD CS certificates

Active Directory Certificate Services (AD CS), used by many organisations to issue certificates, gains PQC in phases:

PhaseAdds
Phase 1Issue certificates using ML-DSA signatures
Phase 2ML-KEM support and Composite ML-DSA (a cert carrying classical + PQC signatures together)

Composite is the hybrid, belt-and-suspenders idea again — trust survives even if one scheme is later weakened.

Schannel TLS hybrid

Windows’s built-in TLS stack, Schannel, gains post-quantum hybrid key exchange — combining a classical elliptic-curve exchange with ML-KEM. In early releases this is typically disabled by default and enabled deliberately, because servers and middleboxes are still catching up; turn it on where you know both ends cope.

Myth: “Experimental means it’s not safe to use.” The algorithms are NIST-standardised. “Experimental” flags an unsettled software interface. Pin versions and expect API shifts — don’t distrust the maths.

What to try first

SymCrypt
Microsoft’s core cryptographic library, now implementing ML-KEM/ML-DSA.
CNG
Cryptography Next Generation — Windows’s cryptography API layer.
Composite ML-DSA
A certificate carrying both a classical and a PQC signature.
Schannel
Windows’s built-in TLS/SSL implementation.
Experimental API
An interface that may change; in .NET, an opt-in diagnostic (e.g. SYSLIB5006).
NIST (National Institute of Standards and Technology) / PQC (Post-Quantum Cryptography)
The standards body and the quantum-resistant algorithm family SymCrypt implements.
ML-KEM / ML-DSA
The lattice-based standards SymCrypt exposes: ML-KEM (Module-Lattice Key-Encapsulation Mechanism) for key exchange and ML-DSA (Module-Lattice Digital Signature Algorithm) for signatures.
AD CS (Active Directory Certificate Services)
Microsoft’s certificate-issuing service, gaining ML-DSA then ML-KEM and Composite ML-DSA support.
TLS (Transport Layer Security) / ECDSA (Elliptic-Curve Digital Signature Algorithm)
The protocol Schannel secures, and the classical signature scheme whose sizes ML-DSA dwarfs.

What to carry forward

Next: Governance, Compliance & the Exec Report → — reporting up.

Understand it in your own words

Paste into any AI assistant to check yourself:

I'm learning how PQC shows up on the Microsoft platform. Quiz me one question
at a time, correcting me gently:

1. What is SymCrypt, and how do its PQC algorithms reach Windows apps?
2. Name the three new .NET PQC types and what each is for.
3. What does "experimental" mean for these .NET APIs — is the maths unsafe?
4. What does each AD CS phase add, and what is Composite ML-DSA?
5. Why is Schannel's hybrid key exchange usually disabled by default?

References & further reading

  1. Microsoft, Post-quantum cryptography comes to Windows Insiders and Linux (SymCrypt, CNG). techcommunity.microsoft.com
  2. Microsoft Learn, Post-quantum cryptography in .NET (MLKem, MLDsa, SlhDsa; SYSLIB5006). learn.microsoft.com/dotnet
  3. Microsoft, SymCrypt open-source library. github.com/microsoft/SymCrypt
  4. NIST, FIPS 203 (ML-KEM), 204 (ML-DSA), 205 (SLH-DSA). csrc.nist.gov