Quantum-Safe Security: Microsoft Targets 2029
Summary
Microsoft is accelerating its quantum-safe security roadmap and now aims to transition critical products and services to post-quantum cryptography by 2029. The update matters because IT teams need to start cryptographic inventory, crypto-agility planning, and TLS 1.3 modernization sooner as the risk timeline for quantum attacks moves closer.
Introduction
Microsoft has moved up its quantum-safe security timeline, signaling that post-quantum cryptography (PQC) is no longer a distant planning exercise. For IT and security leaders, this is an important shift: preparation now needs to start as a multi-year modernization effort, not as a future compliance project.
Microsoft says it is accelerating the Quantum Safe Program (QSP) with a goal of transitioning critical products and services to PQC by 2029. The company is also adding PQC requirements into its Secure Future Initiative, giving the work clearer ownership, milestones, and engineering accountability.
What’s new
Microsoft is bringing the timeline forward
- Microsoft now believes cryptographically relevant quantum computers may arrive sooner than previously expected.
- The company is targeting 2029 for critical product and service transition to PQC.
- This aligns with growing government pressure to adopt quantum-safe cryptography earlier, especially for high-risk systems.
Three priority areas
- Network cryptography: Microsoft highlights TLS 1.3 as the baseline for future hybrid and post-quantum key exchange.
- Crypto-agility for data at rest: Organizations should make cryptographic settings configurable, standardize key management, and remove hard-coded algorithms.
- Trust chain modernization: Code signing, certificate issuance, key protection, and update pipelines need to be updated for future PQC adoption.
Inventory-first approach
Microsoft emphasizes that the biggest challenge is not choosing algorithms. It is discovering where cryptography already exists across apps, identities, certificates, hardware, and legacy infrastructure.
Why this matters for IT administrators
For most organizations, the immediate impact is operational. Security and infrastructure teams need visibility into cryptographic dependencies before they can plan a safe migration path.
This also reinforces several near-term priorities:
- Reduce legacy protocol use where possible
- Standardize on TLS 1.3 across client and server systems
- Review certificate and signing processes
- Identify long-lived sensitive data at risk from “harvest now, decrypt later” attacks
Even before PQC standards are fully implemented everywhere, this work can uncover existing security gaps and improve lifecycle management today.
Recommended next steps
- Assign ownership: Define who leads the post-quantum transition across security, identity, app, and infrastructure teams.
- Build a cryptographic inventory: Track where algorithms, certificates, keys, and protocols are used.
- Design for crypto-agility: Ensure new systems can swap cryptographic methods without major redesign.
- Modernize protocols now: Make TLS 1.3 the default baseline where supported.
- Prioritize high-value data: Focus first on sensitive data that must remain confidential for many years.
Microsoft is expected to share more technical guidance as this work progresses. For administrators, the message is clear: start discovery and modernization now to avoid a rushed and costly transition later.
Need help with Security?
Our experts can help you implement and optimize your Microsoft solutions.
Talk to an ExpertStay updated on Microsoft technologies