Skip to content
Tech News
← Back to articles

Microsoft to roll out Entra passkeys on Windows in late April

2026-04-24 | original
read original get Microsoft Entra Passkeys Kit → more articles
Why This Matters

Microsoft's upcoming rollout of Entra passkeys on Windows aims to enhance security by enabling passwordless, phishing-resistant authentication across a wide range of devices, including unmanaged and shared ones. This development signifies a major step toward reducing reliance on traditional passwords and strengthening enterprise and personal security. The feature's broad compatibility and admin controls make it a pivotal advancement in secure, seamless user authentication.

Key Takeaways

Microsoft will roll out passkey support for phishing-resistant passwordless authentication to Microsoft Entra‑protected resources from Windows devices starting late April.

The feature is expected to reach general availability by mid-June 2026 and will also extend passwordless sign-in to unmanaged Windows devices.

Microsoft says that Entra passkeys on Windows will support corporate, personal, and shared devices, with admin controls via Conditional Access and Authentication Methods policies.

"Users can create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN)," Microsoft said in a message center update.

"This expands passwordless authentication support to Windows devices that aren't Microsoft Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords across corporate‑managed, personal, and shared device scenarios."

The new security feature will be available in organizations that have enabled 'Microsoft Entra ID with passkeys' in the 'Authentication Methods policy' for users who sign in to Windows devices that are not Microsoft Entra‑joined or registered, provided Conditional Access policies allow it (e.g., from corporate‑managed, personal, or shared devices).

It also enables the creation of FIDO2 passkeys stored in a secure local credential container that can only be used for authentication to Microsoft Entra ID via Windows Hello using facial recognition, fingerprint, or PIN (unlike Windows Hello for Business, which also enables device sign-ins).

Feature Microsoft Entra passkey on Windows Windows Hello for Business Standard base FIDO2 FIDO2 for authentication, first-party (1P) protocol for device sign-in Registration User-initiated, doesn't require device join or registration Automatically provisioned on some Microsoft Entra joined or registered devices during device registration Device sign-in and single sign-on (SSO) N/A Enables device sign-in and SSO to Microsoft Entra-integrated resources after device sign-in Credential binding Bound to the device and stored in the local Windows Hello container. Users can register multiple passkeys for multiple work or school accounts on the same device. Primarily a device-bound sign-in method linked to device trust. The credential is tied only to the work or school account used to register the device. Management Microsoft Entra ID Authentication methods policy Microsoft Intune

Group Policy

Additionally, passkeys are cryptographically bound to each device and never transmitted over the network, so attackers can't steal them during phishing or malware attacks to bypass multifactor authentication.

... continue reading

Explore topics: microsoft entra windows hello fido2 passkeys
Related:
20,000 job cuts at Meta, Microsoft raise concern that AI-driven labor crisis is here
The Microsoft Surface Pro is nearly 40% off at Best Buy - and we highly recommend it
UK cyber chiefs say it's time to ditch passwords for passkeys - what are they?
How Project Maven taught the military to love AI
Israel-Lebanon ceasefire, Microsoft's first-ever buyouts, Starbucks' loyalty program and more in Morning Squawk

© 2026 GoKawiil

About | Editorial Policy | Contact