Microsoft will roll out Entra passkey support on Windows starting late April, with general availability expected by mid‑June 2026, extending phishing‑resistant passwordless sign‑ins to unmanaged, corporate, personal, and shared devices. Device‑bound FIDO2 passkeys will be stored in the Windows Hello container and managed via Conditional Access and Authentication Methods policies, closing a security gap exploited in recent Entra SSO credential‑theft attacks while preventing passkey exfiltration. #MicrosoftEntra #WindowsHello
Keypoints
- Entra passkeys will enable phishing‑resistant passwordless authentication from Windows devices beginning late April, with GA by mid‑June 2026.
- Support extends to unmanaged, corporate, personal, and shared Windows devices without requiring device join or registration.
- Passkeys are FIDO2 credentials stored in the local Windows Hello container and usable only for Entra ID authentication via face, fingerprint, or PIN.
- Administrators can manage deployment and access using Conditional Access and Authentication Methods policies.
- The feature mitigates recent attacks on Microsoft Entra SSO by ensuring passkeys are device‑bound and never transmitted over the network.