Microsoft will roll out passkey support for phishing-resistant passwordless authentication to Microsoft Entra‑protected resources from Windows devices starting late April. The feature is expected to reach general availability by mid-June 2026 and will also extend passwordless sign-in to unmanaged Windows devices. Microsoft says that Entra passkeys on Windows will support corporate, personal, and shared devices, with admin controls via Conditional Access and Authentication Methods policies. "Users can create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN)," Microsoft said in a message center update. "This expands passwordless authentication support to Windows devices that aren't Microsoft Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords across corporate‑managed, personal, and shared device scenarios." The new security feature will be available in organizations that have enabled 'Microsoft Entra ID with passkeys' in the 'Authentication Methods policy' for users who sign in to Windows devices that are not Microsoft Entra‑joined or registered, provided Conditional Access policies allow it (e.g., from corporate‑managed, personal, or shared devices). It also enables the creation of FIDO2 passkeys stored in a secure local credential container that can only be used for authentication to Microsoft Entra ID via Windows Hello using facial recognition, fingerprint, or PIN (unlike Windows Hello for Business, which also enables device sign-ins). Additionally, passkeys are cryptographically bound to each device and never transmitted over the network, so attackers can't steal them during phishing or malware attacks to bypass multifactor authentication. While Microsoft didn't share why this feature was added, Microsoft Entra passkeys on Windows close a security gap that previously left personal and shared devices reliant on password-based Microsoft Entra ID authentication. In recent months, threat actors have heavily targeted Microsoft Entra single sign-on (SSO) accounts using stolen credentials in a wave of recent SaaS data-theft attacks.