All posts by Richard M. Hicks

Microsoft AD CS Adds Post-Quantum Cryptography Support with ML-DSA

Despite predictions of its decline, Microsoft Active Directory Certificate Services (AD CS) continues to evolve. Following significant enhancements introduced in late 2025, including CRL partitioning and support for 16K database pages, the May 2026 update adds another important capability: support for Post-Quantum Cryptography (PQC).

ML-DSA

Specifically, the May 2026 update adds support for ML-DSA-44, ML-DSA-65, and ML-DSA-87 in Windows Server 2025 for AD CS. This enables administrators to begin evaluating post-quantum cryptographic algorithms and assessing PQC readiness in enterprise PKI environments

Configuration

After applying the May 2026 update to an issuing Certification Authority (CA), administrators will find new PQC algorithms under the Algorithm name drop-down list, as shown here.

Note: If you don’t see these new algorithms, ensure you have selected Key Storage Provider from the Provider Category drop-down list. In addition, ensure that you select Signature on the Request Handling tab.

Test Results

Initial testing across common enterprise certificate scenarios produced mixed results. While PQC works well in some scenarios, other workloads still show limitations.

Code Signing

Code signing with an ML-DSA-44 certificate issued by AD CS works perfectly. For example, I can use Set-AuthenticodeSignature to sign a PowerShell script, as shown here.

Viewing the file’s properties shows that the encryption algorithm used to sign the file was ML-DSA-44, as expected.

IIS

TLS-based workloads proved more challenging. Attempts to configure an HTTPS binding in IIS failed with the following error message.

There was an error while performing this operation. A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520).

RRAS and SSTP

Similar limitations occurred when testing remote-access VPN scenarios using RRAS and SSTP. Specifically, configuring a PQC TLS certificate for SSTP in RRAS failed. Although I was able to assign the certificate using Set-RemoteAccess, the RemoteAccess service failed to start.

Remote Desktop

Unfortunately, using PQC certificates for RDP also fails. Although I could assign the PQC certificate to the RDP listener, clients fail to connect using RDP and return the following error message.

This computer can’t connect to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.

Error code: 0x904
Extended error code: 0x7

Summary

The May 2026 update marks an important milestone for AD CS by introducing initial support for PQC algorithms, allowing organizations to begin evaluating ML-DSA certificates in enterprise environments. Early testing shows promising results for signing scenarios such as code signing; however, broader infrastructure workloads, including TLS, VPN, and Remote Desktop, remain limited today. Although PQC support is still in its early stages, these updates demonstrate Microsoft’s ongoing investment in AD CS and provide administrators with an opportunity to begin preparing their PKI environments for the post-quantum future. Additional PQC enhancements, including ML-KEM support and broader ecosystem integration, are anticipated in future Windows updates.

Additional Information

Microsoft May 2026 Security Updates (KB5087539)

Post Quantum Cryptography in the Enterprise

Leave a comment
by Richard M. Hicks on May 18, 2026  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, Always On VPN, AOVPN, authentication, CBA, Certificate Authentication, Certificate Authority, Certificate Services, Certificate-Based Authentication, certificates, Cryptography, Elliptic Curve Cryptography, Encryption, Enterprise, Infrastructure, Microsoft, ML-DSA, ML-KEM, Operational Support, Patch Tuesday, PKI, Post-Quantum Cryptography, PowerShell, PowerShell 7, PQC, public key infrastructure, Quantum Computing, Quantum Cryptography, Remote Access, Remote Desktop Protocol, routing and remote access service, RRAS, Security, Security Update, Signature, Signing, SSL, SSL and TLS, systems management, TLS, TLS 1.3, Transport Layer Security, Uncategorized, Update, VPN, Windows 11, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 18, 2026

https://directaccess.richardhicks.com/2026/05/18/microsoft-ad-cs-adds-post-quantum-cryptography-support-with-ml-dsa/

Techmentor Event Microsoft HQ 2026

I’m pleased to announce I’ll be attending the Techmentor Event at Microsoft Headquarters in Redmond, WA, August 3-7, 2026. Register now and save $500.00 with the discount code HICKS.

Sessions

I’ll be delivering three sessions at this year’s event.

Join Me

The event is shaping up to be one of the best, with industry experts from around the world presenting on many important topics. Be sure to join me! Don’t miss out on this fantastic opportunity to learn from the best in the industry. Register today. Hope to see you there!

Leave a comment
by Richard M. Hicks on May 9, 2026  •  Permalink
Posted in Always On VPN, AOVPN, Certificate Authentication, Certificate Services, Certificate-Based Authentication, certificates, Conference, education, Entra Certificate-Based Authentication, Entra Global Secure Access, Event, Global Secure Access, learning, Microsoft, Microsoft Entra, Microsoft Entra Global Secure Access, Microsoft Entra ID, Microsoft Entra Private Access, SSL and TLS, TLS, VPN, Windows 10, Windows 11, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 9, 2026

https://directaccess.richardhicks.com/2026/05/09/techmentor-event-microsoft-hq-2026/

What’s New in Always On VPN DPC v5.4.0

A new edition of the popular Always On VPN Dynamic Profile Configurator (DPC) is now available. Version 5.4.0, released on May 5, 2026, includes some new features, reliability improvements, and additional miscellaneous fixes.

What’s New in DPC v5.4.0

The following new features and improvements are included in the latest release of DPC.

Signed Binaries

Beginning with release v5.4.0, all binaries, including the installer, are digitally signed. This streamlines the installation process and allows DPC to better integrate with application controls.

EAP-TLS

By popular demand, EAP-TLS support has been added as an authentication option in DPC. Historically, DPC strictly adhered to security best practices and only allowed Protected EAP (PEAP). However, many administrators required EAP-TLS to better integrate with non-Microsoft VPN services.

Additional Enhancements

Other changes include better profile change comparison and a new logo. In addition, the DPC ADMX files are now publicly accessible on ADMScope.

Summary

Administrators running earlier versions of DPC are encouraged to upgrade to v5.4.0 as soon as possible.

Additional Information

Always On VPN DPC v5.4.0 on GitHub

Leave a comment
by Richard M. Hicks on May 8, 2026  •  Permalink
Posted in Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, Deployment, Device Management, DPC, DPC Support, enterprise mobility, Microsoft, Mobility, systems management, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , ,

Posted by Richard M. Hicks on May 8, 2026

https://directaccess.richardhicks.com/2026/05/08/whats-new-in-always-on-vpn-dpc-v5-4-0/

« Older Posts