Don’t Believe the FUD – Microsoft PKI is Your Key to Crypto Agility

It’s that time again—the point in the tech cycle where vendors exploit uncertainty to spread Fear, Uncertainty, and Doubt (FUD) in cybersecurity. What’s the latest FUD in PKI? The same old misinformation: that Microsoft Active Directory Certificate Services (ADCS) is going away.

If you’ve encountered a PKI vendor claiming, “Microsoft is discontinuing ADCS, so you should buy our product,” rest assured that this is not true.

The False Narrative of ADCS Discontinuation

Why do vendors push this misleading message? Simple: it’s an easy way to create panic and sell products. Instead of demonstrating real value, they resort to doomsday scenarios—convincing organizations that their existing PKI is on the brink of obsolescence. The reality? Microsoft ADCS is in maintenance mode, not being discontinued, and continues to be the backbone of most enterprise identity and access management systems.

The Hidden Agenda Behind Managed PKI Solutions

The rise of managed PKI, PKI-as-a-Service, and other rebranded models is not about offering something new. It’s about repackaging what organizations already have at a much higher cost and with significantly less control. Companies that migrate to managed PKI often find themselves locked into proprietary ecosystems, unable to issue or manage certificates freely without vendor involvement. Worse, the per-certificate pricing model can cause operational costs to spiral out of control over time.

Post-Quantum Cryptography: The Next FUD Wave

The latest iteration of PKI-related FUD is tied to Post-Quantum Cryptography (PQC). Vendors now claim, “Microsoft will retire ADCS because of PQC.” Yet, Microsoft’s own statements contradict this claim:

Over the coming months, Cryptography API: Next Generation (CNG) on Windows and the SymCrypt provider for OpenSSL (SCOSSL) on Linux will add support for PQC algorithms, giving our customers the ability to experiment with PQC in their own environments and applications.
Microsoft Tech Community Post

Translation? Microsoft is actively preparing ADCS for PQC. Organizations leveraging ADCS will soon have native support for PQC algorithms—without needing to migrate to an external provider.

The Reality of Hybrid PKI and Crypto Agility

A well-managed ADCS environment will offer complete control over crypto agility, allowing organizations to implement hybrid PKI models that mix RSA, ECC, and PQC as needed. Can managed PKI providers give you the same flexibility? Probably not. Want an RSA root with ML-DSA issuing? Or a PQC root with RSA issuing? With a managed PKI, you’ll likely be constrained by vendor limitations.

Additionally, managed PKI solutions rarely accommodate the complex certificate needs of enterprises. Will they provide the subordinate CA certificates you need for modern appliances? Can they handle TLS Inspection, VMWare, Citrix, or IoT deployments? These are the critical questions vendors don’t want you to ask—because their solutions often fall short.

The Hidden Costs of Vendor Lock-In

Once an organization migrates to a managed PKI, the cost of switching back can be overwhelming. Your keys and identities are locked into their ecosystem, making future migrations difficult and expensive. If you manufacture IoT devices, your business is effectively under their control. Their per-certificate pricing structure means your costs will escalate year after year.

This isn’t FUD—it’s transparency. Managed PKI solutions have a place but are not a one-size-fits-all solution. An external service might make sense if your organization has minimal certificate needs and lacks internal PKI expertise. But if you already have an established PKI, you are better off maintaining control over your infrastructure.

The ADCS “End-of-Life” Myth: A 20-Year Boogeyman

For two decades, vendors have been predicting the end of Microsoft ADCS, yet it remains the backbone of enterprise PKI. Why? Because it works. Organizations running ADCS maintain complete control over their identities, encryption, and certificate issuance—without the unnecessary overhead and restrictions managed PKI solutions impose. There are more Microsoft ADCS-based PKIs in use today than ever, and the number is only increasing.

Make Informed Decisions, Not Fear-Based Ones

If a vendor approaches you with the “Microsoft is discontinuing ADCS” pitch, push back. Ask them for concrete evidence. Challenge them on how they will provide the same level of flexibility and control that ADCS offers today. And if you want the real story, reach out to us.

PKI remains one of the most critical yet least understood aspects of cybersecurity. But with a properly configured and managed Microsoft PKI, your organization already has the tools to meet today’s security demands and adapt to the post-quantum future. No migration is needed. No unnecessary costs. Just the technology you already own—future-proofed and ready to evolve.

Unfortunately, other PKI vendors can’t clearly position and sell products based on values and solutions without FUD. I’m not mad at them for the lack of creativity, but I am disappointed.