Passwordless Authentication Expands to Windows via Entra Passkeys
Microsoft is set to begin deploying passkey support for Microsoft Entra-protected resources on Windows devices starting in late April 2026. The rollout will bring phishing-resistant, passwordless authentication to a broader range of device types, including unmanaged machines that are not Microsoft Entra-joined or registered. General availability is expected to be reached by mid-June 2026.
According to the company, Entra passkeys on Windows will accommodate corporate, personal, and shared device scenarios, giving administrators control through Conditional Access and Authentication Methods policies.
How the Feature Works
In a message center update, Microsoft explained the mechanics of the new capability:
"Users can create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN). This expands passwordless authentication support to Windows devices that aren't Microsoft Entra-joined or registered, helping organizations strengthen security and reduce reliance on passwords across corporate-managed, personal, and shared device scenarios."
The feature becomes available to organizations that have enabled 'Microsoft Entra ID with passkeys' in the 'Authentication Methods policy'. To qualify, users must be signing in on Windows devices that are not Entra-joined or registered, and applicable Conditional Access policies must permit it.
The system enables the creation of FIDO2 passkeys stored in a secure local credential container. These passkeys can only be used for authentication to Microsoft Entra ID via Windows Hello — using facial recognition, fingerprint, or PIN — which distinguishes the feature from Windows Hello for Business, which additionally supports device sign-ins.
Entra Passkey on Windows vs. Windows Hello for Business
The two solutions differ across several dimensions:
- Standard: Entra passkeys use base FIDO2, while Windows Hello for Business uses FIDO2 for authentication and a first-party (1P) protocol for device sign-in.
- Registration: Entra passkeys are user-initiated and do not require device join or registration. Windows Hello for Business is automatically provisioned on some Entra-joined or registered devices during device registration.
- Device sign-in and SSO: Entra passkeys on Windows do not support device sign-in or SSO. Windows Hello for Business enables device sign-in and SSO to Microsoft Entra-integrated resources after device sign-in.
- Credential binding: Entra passkeys are bound to the device and stored in the local Windows Hello container, allowing users to register multiple passkeys for multiple work or school accounts on a single device. Windows Hello for Business is primarily a device-bound sign-in method tied to the work or school account used during device registration.
- Management: Entra passkeys are managed via the Microsoft Entra ID Authentication Methods policy, while Windows Hello for Business is managed through Microsoft Intune and Group Policy.
Why Passkeys Are More Secure
A key security advantage of this approach is that passkeys are cryptographically bound to each device and are never transmitted over the network. This means that even if attackers conduct phishing campaigns or deploy malware, they cannot steal the passkeys or use them to bypass multifactor authentication.
Microsoft has not formally explained why this specific feature was introduced at this time, but the Entra passkeys on Windows capability addresses a notable security gap: personal and shared devices previously had to rely on password-based Microsoft Entra ID authentication, leaving them more exposed.
Broader Context: Entra SSO Attacks and Microsoft's Security Push
The timing of this rollout is significant. In recent months, threat actors have aggressively targeted Microsoft Entra single sign-on (SSO) accounts through stolen credentials, fueling a wave of SaaS data-theft attacks. Eliminating passwords from the authentication chain removes a critical attack vector exploited in these campaigns.
This development is part of a broader shift in Microsoft's security posture. In October 2024, the company announced it would strengthen security across Entra tenants by making multifactor authentication (MFA) registration mandatory when security defaults are enabled. That initiative falls under the company's Secure Future Initiative, launched in November 2023, aimed at improving cybersecurity across Microsoft's product portfolio.
Further reinforcing its passwordless strategy, Microsoft announced in May 2025 that all new Microsoft accounts would be "passwordless by default" — a measure designed to protect users against brute-force attacks, credential stuffing, and phishing.
What Organizations Should Do Now
Administrators looking to take advantage of Entra passkeys on Windows should review their current Authentication Methods policies in the Microsoft Entra ID portal and ensure the 'Microsoft Entra ID with passkeys' option is enabled. They should also confirm that Conditional Access policies are configured to permit authentication from the device types they wish to support — whether corporate-managed, personal, or shared.
BleepingComputer reached out to Microsoft for additional details about the rollout, but a response was not immediately available at the time of publication.
Source: BleepingComputer