Microsoft Introduces Passkey Authentication for Windows Devices Through Entra

Microsoft is expanding its passwordless security strategy by introducing passkey support for Microsoft Entra on Windows devices. The feature enables phishing-resistant authentication using Windows Hello, allowing users to sign in without traditional passwords.

According to information published in the Microsoft Messaging Center, the update will allow passwordless sign-in on unmanaged Windows devices. Until now, these devices have often relied on standard passwords instead of modern authentication methods.

Passkeys stored securely inside Windows Hello

With the new feature, users will be able to create device-bound passkeys that are stored inside the Windows Hello secure container. Users can unlock the passkey using facial recognition, fingerprint authentication, or a PIN.

Passkeys rely on cryptographic keys tied directly to the device. Because the credentials never travel across the network, attackers cannot intercept them through phishing or credential-stealing malware.

Each Microsoft Entra account registers its own passkey on every device used. Multiple Entra accounts can exist on the same Windows machine, but each account generates a separate passkey.

Passkeys also remain local to the device. They do not sync across multiple computers, which means users must register a new passkey for each Windows device they use.

Designed primarily for unmanaged Windows devices

Microsoft says the feature mainly targets unmanaged devices that are not joined to an organization’s Entra environment. Windows Hello for Business will remain the recommended authentication solution for managed, Entra-joined, or registered corporate devices.

Administrators who want to test the feature during the preview phase must complete several configuration steps in Microsoft Entra:

• Enable the Passkeys (FIDO2) authentication method in Entra Authentication Methods policies
• Create a passkey profile that includes the required Windows Hello AAGUID identifiers
• Assign the configuration to the appropriate user groups

Microsoft also notes a limitation involving Windows Hello credentials. Users cannot register a passkey if a Windows Hello for Business credential already exists inside the same secure container.

The company says this restriction could be lifted in the future when users reach more than 50 total credentials across passkeys, Windows Hello for Business, and Mac platform credentials.

Part of Microsoft’s broader passwordless push

The move continues Microsoft’s long-term push toward passwordless authentication across its ecosystem. In May 2025, the company announced that newly created Microsoft accounts would be passwordless by default.

Microsoft plans to release the Microsoft Entra passkey feature in public preview between mid-March and late April 2026 for global tenants. Government cloud environments, including GCC, GCC High, and DoD, are expected to receive the rollout between mid-April and mid-May 2026.

In other cybersecurity developments, Exchange Online recently dropped support for the Credential parameter in favor of stronger multi-factor authentication methods. Security researchers have also warned about attackers spreading malware through social engineering campaigns on Microsoft Teams.

Meanwhile, Microsoft also confirmed that PCs enrolled in Windows Autopatch will begin receiving hotpatch security updates by default starting in May.

Via Bleeping Computer