General Availability: Microsoft Entra passkeys on Windows

Microsoft Entra passkeys on Windows are generally available from late April 2026, enabling passwordless, phishing-resistant sign-in on Windows devices without explicit admin opt-in. This supports corporate, personal, and shared devices, with control via Authentication Methods policies and Conditional Access. No action is needed unless blocking is desired. Microsoft Entra passkeys on Windows are now Generally Available, enabling phishing‑resistant, passwordless sign‑in to Microsoft Entra‑protected resources from Windows devices. The Public Preview of this capability was previously announced in MC1247893. Users can create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN). This expands passwordless authentication support to Windows devices that aren’t Microsoft Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords across corporate‑managed, personal, and shared device scenarios. When this will happen: General Availability (Worldwide): We will begin rolling out in late April 2026 and expect to complete by mid‑June 2026. General Availability (GCC, GCC High, DoD): We will begin rolling out in early July 2026 and expect to complete by late July 2026. How this affects your organization: Who is affected: Organizations using Microsoft Entra ID with passkeys enabled in the Authentication Methods policy whose users sign in from Windows devices, including: Corporate‑managed PCs Personal devices Shared devices What will happen: With this General Availability release: Microsoft Entra passkeys on Windows will no longer require explicit opt‑in through Windows Hello AAGUID allow‑listing in a passkey (FIDO2) profile. This represents a change from Public Preview behavior, where administrators were required to explicitly allow Windows Hello AAGUIDs in a passkey profile for Microsoft Entra passkeys on Windows to function. If your passkey profile allows device‑bound, non‑attested passkeys: Users scoped to that profile will now be able to register and use Microsoft Entra passkeys on Windows by default without additional administrator configuration. As a result: Users in scope of passkey profiles that allow device‑bound, non‑attested passkeys may begin registering and using passkeys on Windows devices. If Conditional Access policies allow: Passkeys can be created and used on Windows devices that are not Microsoft Entra‑joined or registered, including personal or shared PCs. Each Windows […]

The post General Availability: Microsoft Entra passkeys on Windows appeared first on M365 Admin.