MC1282568 - General Availability: Microsoft Entra passkeys on Windows

Introduction

Microsoft Entra passkeys on Windows are now Generally Available, enabling phishing‑resistant, passwordless sign‑in to Microsoft Entra‑protected resources from Windows devices.

The Public Preview of this capability was previously announced in MC1247893.

Users can create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN). This expands passwordless authentication support to Windows devices that aren’t Microsoft Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords across corporate‑managed, personal, and shared device scenarios.

When this will happen:

General Availability (Worldwide): We will begin rolling out in late April 2026 and expect to complete by mid‑June 2026.
General Availability (GCC, GCC High, DoD): We will begin rolling out in early July 2026 and expect to complete by late July 2026.

How this affects your organization:

Who is affected:

Organizations using Microsoft Entra ID with passkeys enabled in the Authentication Methods policy whose users sign in from Windows devices, including:

Corporate‑managed PCs
Personal devices
Shared devices

What will happen:

With this General Availability release:

Microsoft Entra passkeys on Windows will no longer require explicit opt‑in through Windows Hello AAGUID allow‑listing in a passkey (FIDO2) profile.
This represents a change from Public Preview behavior, where administrators were required to explicitly allow Windows Hello AAGUIDs in a passkey profile for Microsoft Entra passkeys on Windows to function.
If your passkey profile allows device‑bound, non‑attested passkeys:

Users scoped to that profile will now be able to register and use Microsoft Entra passkeys on Windows by default without additional administrator configuration.

As a result:
- Users in scope of passkey profiles that allow device‑bound, non‑attested passkeys may begin registering and using passkeys on Windows devices.
- If Conditional Access policies allow:
  - Passkeys can be created and used on Windows devices that are not Microsoft Entra‑joined or registered, including personal or shared PCs.
Each Windows device requires separate passkey registration per Entra account.
Windows Hello for Business remains recommended for managed, Microsoft Entra‑joined or registered devices.
Passkeys on Windows supplement unmanaged or shared device scenarios and do not support device sign‑in.
Attestation is not currently supported for Microsoft Entra passkeys on Windows but is planned for a future update.

What you can do to prepare:

No action is required for most organizations.

If you do not want users to register or use Microsoft Entra passkeys on Windows:

Update the relevant passkey (FIDO2) profile to block Windows Hello AAGUIDs.
Review existing passkey profiles that allow device‑bound, non‑attested passkeys.
Add Windows Hello AAGUIDs to the block list in passkey profiles where passkey usage on Windows devices should not be permitted.

Learn more: Enable Microsoft Entra passkey on Windows | Microsoft Learn (will be updated before GA rollout)

Compliance considerations:

Compliance area	Explanation
Does the change modify, interrupt, or disable Conditional Access policies?	Existing Conditional Access policies continue to govern whether passkeys can be created or used on unmanaged Windows devices.
Does the change include an admin control and can it be controlled through Entra ID group membership?	Admins can control passkey availability through Authentication Methods policies and FIDO2 passkey profiles scoped to Microsoft Entra ID groups.
Does the change allow a user to enable and disable the feature themselves?	Users may register Microsoft Entra passkeys on Windows devices if permitted by administrator policy configuration.