Overview
Microsoft is rolling out passkey support for phishing-resistant passwordless authentication to Microsoft Entra-protected resources from Windows devices starting late April 2026. The feature — entering General Availability — allows users to create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello biometric methods (face, fingerprint) or PIN.
This rollout closes a long-standing security gap that left personal and shared Windows devices reliant on password-based Microsoft Entra ID authentication, making them significantly more vulnerable to credential theft attacks.
What Are Microsoft Entra Passkeys on Windows?
Passkeys are cryptographic credentials that replace traditional passwords. Unlike passwords, they are:
- Device-bound — stored on the local device and never transmitted over the network
- Phishing-resistant — cannot be stolen via phishing pages or man-in-the-middle attacks
- Non-transferable — bound to the specific device they were created on
Microsoft Entra passkeys on Windows leverage the Windows Hello infrastructure, allowing users to register a passkey per Entra account on their device and use biometric or PIN authentication to access Entra ID-protected resources.
Rollout Timeline
| Deployment Ring | Start | Expected Completion |
|---|---|---|
| General Availability (Worldwide) | Late April 2026 | Mid-June 2026 |
| General Availability (GCC, GCC High, DoD) | Early July 2026 | Late July 2026 |
Key Technical Details
Device and Account Support
| Scenario | Supported |
|---|---|
| Windows devices not Entra-joined or registered | Yes |
| Personal or shared PCs | Yes |
| Multiple Entra accounts per device | Yes (separate passkey per account) |
| Cross-device passkey sync | No (device-bound only) |
| Device sign-in replacement | No (supplements, not replaces Windows Hello for Business) |
What Changed from Public Preview
During Public Preview, administrators were required to explicitly allow Windows Hello AAGUIDs in a FIDO2 passkey profile for the feature to work. This restriction has been lifted in General Availability.
If your passkey (FIDO2) profile allows device-bound, non-attested passkeys, users scoped to that profile can now register and use Microsoft Entra passkeys on Windows by default — no additional admin configuration required.
Attestation Support
Attestation for Microsoft Entra passkeys on Windows is not currently supported but is planned for a future update.
Impact on Organizations
Why This Matters
Credential theft is the leading cause of breaches in 2025–2026, accounting for 22% of all data breaches according to Verizon's DBIR. Passkeys eliminate the credential theft vector entirely for authentication flows — there is no password or reusable token to steal.
For organizations with unmanaged or personal Windows devices accessing Entra ID resources (common in BYOD environments), this rollout provides a path to phishing-resistant authentication that was previously unavailable without full device enrollment.
Relationship to Windows Hello for Business
Microsoft continues to recommend Windows Hello for Business for managed, Entra-joined or Hybrid-joined enterprise devices. Entra passkeys on Windows are specifically designed to fill the gap for:
- Unmanaged personal devices used to access corporate resources
- Shared workstations where full device enrollment isn't practical
- External contractors and guests who need secure access without full device management
Administrator Actions
No Action Required (Default GA Behavior)
Most organizations need to take no action. If your existing passkey (FIDO2) profile permits device-bound, non-attested passkeys, the feature will automatically become available to scoped users.
To Block Microsoft Entra Passkeys on Windows
If your organization does not want users to register or use this feature:
- Navigate to Azure Active Directory → Security → Authentication Methods → Passkey (FIDO2)
- In the relevant passkey profile, locate the Windows Hello AAGUIDs
- Add Windows Hello AAGUIDs to the block list for that profile
- Review all profiles that currently allow device-bound, non-attested passkeys and update accordingly
Registering a Passkey (User Flow)
Users can register a passkey on their Windows device by:
1. Navigate to aka.ms/mysecurityinfo
2. Add sign-in method → Passkey (Windows Hello or external security key)
3. Follow prompts to register using Windows Hello biometrics or PIN
4. The passkey is stored in the Windows Hello container on the local deviceSecurity Implications
| Threat Eliminated | Notes |
|---|---|
| Password spray attacks | No password = no spray surface |
| Credential phishing | Passkeys are domain-bound — fake pages cannot harvest them |
| Pass-the-hash / pass-the-ticket | Passkeys are not reusable tokens |
| Credential stuffing from breached databases | No password to appear in breach lists |
Passkeys represent a generational improvement in authentication security for environments that adopt them. Combined with existing Entra ID Conditional Access policies and Microsoft Defender for Identity, they significantly reduce the attack surface for identity-based breaches.
Current Limitations
- No cross-device sync — each device requires separate passkey registration
- No attestation support (planned for future update)
- Does not support Windows device sign-in — only Entra ID resource authentication
- Public Preview users may need to re-register if AAGUID allow-listing was previously required
References
- BleepingComputer — Microsoft to roll out Entra passkeys on Windows in late April
- Microsoft 365 Message Center — MC1282568: General Availability: Microsoft Entra passkeys on Windows
- Microsoft Entra Releases and Announcements — Microsoft Learn
- Microsoft Entra Innovations at RSAC 2026