Microsoft SymCrypt + CNG PQC APIs

Microsoft's post-quantum cryptography deployment is the most significant for enterprises running Microsoft-centric infrastructure, which remains the majority of Fortune 500 organizations. The cryptographic foundation is SymCrypt, Microsoft's open-source cross-platform cryptography library written in C, and the Windows Cryptography Next Generation (CNG) API layer that exposes PQC primitives to applications through a stable, documented interface. As of early 2026, SymCrypt and CNG provide generally available support for ML-KEM (all three parameter sets: 512, 768, 1024 per FIPS 203), ML-DSA (all parameter sets per FIPS 204), and SLH-DSA (selected parameter sets per FIPS 205) across Windows 11, Windows Server 2022 and later, and Azure's TLS infrastructure. This is not a preview or beta — it is production-grade, shipping in the OS. The most consequential development for enterprise PKI teams arrived in May 2026: Active Directory Certificate Services gained support for ML-DSA certificate issuance and enrollment. This means enterprise Certificate Authorities built on Windows Server can issue ML-DSA digital certificates to domain-joined devices, service accounts, and users through the existing ADCS infrastructure — without replacing the CA software or migrating away from Active Directory. For organizations that have spent years building out ADCS-based PKI, this is the migration path that requires the least architectural disruption. Microsoft 365 services, Azure Key Vault, and Azure TLS termination all negotiate hybrid PQC with compatible clients. The Azure SDK across .NET, Java, Python, JavaScript, and Go has been updated to negotiate ML-KEM hybrid TLS, meaning applications built on Azure SDKs inherit PQC protection with a dependency version bump. Microsoft has also published a detailed PQC readiness guide for hybrid Azure AD and on-premises deployments, addressing the complex certificate chain scenarios that enterprise architects typically encounter during migrations.