Microsoft Entra passkeys land on Windows, closing a gap on unmanaged devices

Microsoft is rolling out Entra passkey support on Windows starting late April, with general availability targeted for mid-June 2026. The feature lets users create device-bound FIDO2 passkeys stored in the Windows Hello container and authenticate to Entra-protected resources using face, fingerprint, or PIN. Crucially, it works on Windows devices that are not Entra-joined or registered, extending passwordless sign-in to personal and shared machines that previously had to fall back on passwords.

Admins gate the capability through Authentication Methods policy and Conditional Access, and the keys are cryptographically bound to each device and never transmitted, removing the phishing and malware exfiltration paths that defeat traditional MFA. Unlike Windows Hello for Business, these passkeys are scoped to Entra ID authentication rather than local device sign-in.

The timing tracks an aggressive wave of SSO-targeted credential theft against Entra tenants and fits Microsoft’s broader Secure Future Initiative push — mandatory MFA registration under security defaults and passwordless-by-default new consumer accounts — aimed at retiring password-based auth as the weakest link in the identity chain.