Platform, Security, Workplace
How to master Azure Firewall, Private Endpoints and DNS
A blog website to…
Build. Secure. Automate.
Microsoft brings Entra Passkeys to Windows Hello in Public Preview
Microsoft is continuing its push toward a passwordless future. A new public preview introduces Microsoft Entra passkeys for Windows Hello, enabling phishing-resistant authentication directly from Windows devices, even those an organization doesn’t manage. The feature, expected to roll out starting mid-March 2026, allows users to sign in to Entra-protected services using biometric authentication or a secure PIN stored in the Windows Hello environment.
Passwordless authentication expands to more devices
Traditionally, organizations relied on Windows Hello for Business (WHfB) for secure authentication on managed corporate devices. However, this approach doesn’t always work well for environments where users rely on personal, shared, or unmanaged machines. The new Entra passkeys help close that gap.
With this update, users can authenticate using Windows Hello even when their device isn’t joined or registered to Entra. This significantly improves security in Bring Your Own Device (BYOD) scenarios while maintaining strong protection against phishing attacks.
Authentication methods include:
• Facial recognition
• Fingerprint scanning
• A secure Windows Hello PIN
Windows Hello stores all credentials locally in its container, ensuring sensitive authentication data never leaves the device.
Key characteristics of the new passkey system
Several design decisions stand out in Microsoft’s implementation:
• Device-bound credentials: Windows Hello stores passkeys locally and does not synchronize them across devices. Users must individually register each device for every Entra account they use.
• Multiple accounts supported: A single Windows device can hold passkeys for multiple Entra accounts, making it easier for users who work across different organizations or tenants.
• Complementary to Windows Hello for Business: Microsoft treats the new passkeys as a supplement to WHfB, not a replacement. WHfB remains the preferred solution for managed corporate endpoints, while passkeys extend passwordless capabilities to less controlled environments.
• Credential coexistence rules: If a Windows Hello for Business credential already exists for a user account in the Windows Hello container, the system blocks passkey creation for that same account. However, this restriction may be bypassed once users exceed a threshold of roughly 50 combined credentials across FIDO2, WHfB, and Mac platform credentials.
Enabling the Feature in Microsoft Entra
The feature is opt-in during the preview period, meaning organizations must manually configure it in the Microsoft Entra admin center. Before enabling the functionality, administrators should verify the following::
1) FIDO2 authentication must be enabled in Authentication Methods policies.
2) Authentication strength policies should allow passkey authentication.
3) Specific Windows Hello AAGUIDs must be permitted during the preview.
During setup, administrators must configure a Passkey (FIDO2) policy and allow the following Windows Hello authenticators:
• Windows Hello Hardware: 08987058-cadc-4b81-b6e1-30de50dcbe96
• Windows Hello VBS Hardware: 9ddd1817-af5a-4672-a2b9-3e3dd95000a9
• Windows Hello Software: 6028b017-b1d4-4c02-b4b3-afcdafc96bb2
Additionally, administrators must disable attestation enforcement during the preview phase.
Rollout Timeline
Microsoft plans to release the feature according to the following schedule:
Public Preview: Mid-March 2026
General Availability: Expected around mid-April 2026 in most regions
Organizations interested in testing the capability should start preparing their authentication policies and Conditional Access configurations now.
Microsoft brings Entra Passkeys to Windows Hello in Public Preview
Microsoft has been steadily expanding passwordless authentication across its ecosystem, and this update is another important step. By allowing Windows Hello passkeys on unmanaged or personal devices, organizations can maintain strong authentication standards without sacrificing flexibility for users. As more companies adopt hybrid work and BYOD strategies, features like this could become essential in maintaining security without relying on traditional passwords.
“New to passkeys? Read my article on passkeys vs security keys to understand which phishing-resistant authentication method fits your organization best.
