Platform, Security, Workplace
Microsoft brings Entra Passkeys to Windows Hello in Public Preview
A blog website to…
Build. Secure. Automate.
Microsoft brings Entra Passkeys to Windows Hello in Public Preview
Microsoft is continuing its push toward a passwordless future. A new public preview introduces Microsoft Entra passkeys for Windows Hello, enabling phishing-resistant authentication directly from Windows devices, even those that aren’t managed by an organization. The feature, expected to roll out starting mid-March 2026, allows users to sign in to Entra-protected services using biometric authentication or a secure PIN stored in the Windows Hello environment.
Passwordless authentication expands to more devices
Traditionally, organizations relied on Windows Hello for Business (WHfB) for secure authentication on managed corporate devices. However, this approach doesn’t always work well for environments where users rely on personal, shared, or unmanaged machines. The new Entra passkeys help close that gap.
With this update, users can authenticate using Windows Hello even when their device isn’t joined or registered to Entra. This significantly improves security in Bring Your Own Device (BYOD) scenarios while maintaining strong protection against phishing attacks.
Authentication methods include:
• Facial recognition
• Fingerprint scanning
• A secure Windows Hello PIN
All credentials are stored locally in the Windows Hello container, ensuring sensitive authentication data never leaves the device.
Key characteristics of the new passkey system
Several design decisions stand out in Microsoft’s implementation:
• Device-bound credentials: Passkeys are stored locally and are not synchronized across devices. Each device must be individually registered for every Entra account used.
• Multiple accounts supported: A single Windows device can hold passkeys for multiple Entra accounts, making it easier for users who work across different organizations or tenants.
• Complementary to Windows Hello for Business: Microsoft positions the new passkeys as a supplement to WHfB, not a replacement. WHfB remains the preferred solution for managed corporate endpoints, while passkeys extend passwordless capabilities to less controlled environments.
• Credential coexistence rules: If a Windows Hello for Business credential already exists for a user account in the Windows Hello container, the system will prevent creating a passkey for that same account. However, this restriction may be bypassed once users exceed a threshold of roughly 50 combined credentials across FIDO2, WHfB, and Mac platform credentials.
Enabling the Feature in Microsoft Entra
The feature is opt-in during the preview period, meaning organizations must manually configure it in the Microsoft Entra admin center. Before enabling the functionality, administrators should verify the following:
1) FIDO2 authentication must be enabled in Authentication Methods policies.
2) Authentication strength policies should allow passkey authentication.
3) Specific Windows Hello AAGUIDs must be permitted during the preview.
During setup, administrators must configure a Passkey (FIDO2) policy and allow the following Windows Hello authenticators:
• Windows Hello Hardware: 08987058-cadc-4b81-b6e1-30de50dcbe96
• Windows Hello VBS Hardware: 9ddd1817-af5a-4672-a2b9-3e3dd95000a9
• Windows Hello Software: 6028b017-b1d4-4c02-b4b3-afcdafc96bb2
Additionally, attestation enforcement must be disabled during the preview phase.
Rollout Timeline
Microsoft plans to release the feature according to the following schedule:
Public Preview: Mid-March 2026
General Availability: Expected around mid-April 2026 in most regions
Organizations interested in testing the capability should start preparing their authentication policies and Conditional Access configurations now. A Step Toward a Passwordless Future Microsoft has been steadily expanding passwordless authentication across its ecosystem, and this update is another important step. By allowing Windows Hello passkeys on unmanaged or personal devices, organizations can maintain strong authentication standards without sacrificing flexibility for users. As more companies adopt hybrid work and BYOD strategies, features like this could become essential in maintaining security without relying on traditional passwords.
