Entra passkeys on Windows bring phishing-resistant sign-ins to unmanaged PCs

Overview

Entra passkeys on Windows are one of the more practical identity updates Microsoft has shipped this year. The change matters because it gives organizations a way to push phishing-resistant sign-in onto Windows devices that are not joined or registered to Entra, a gap that has lingered for teams with contractors, shared machines, and bring-your-own-device access.

Microsoft's documentation says the feature is now in public preview and lets users store device-bound FIDO2 passkeys inside the local Windows Hello container. In plain terms, a user can sign in with a face scan, fingerprint, or PIN instead of a password, and the credential stays tied to that machine.

Entra passkeys on Windows close a real gap

The value of Entra passkeys on Windows is not that passkeys are new. It is that Microsoft is finally extending them in a cleaner way to unmanaged Windows use cases. The company's documentation says the feature enables phishing-resistant sign-in without requiring the device to be Entra joined or registered.

That is a meaningful change for firms that still have weak points around partner access, shared terminals, and personal laptops used for work. BleepingComputer reported in March that Microsoft planned the rollout through late April, and the practical headline was straightforward: passwordless access was no longer limited to the well-managed company PC. For identity teams, that is the part worth paying attention to.

Why the unmanaged device angle matters

A lot of passwordless progress over the past few years has been strongest on tightly managed hardware. That helps employees on company-issued laptops, but it leaves messy corners where attackers still find easy wins. Shared devices, lightly managed contractor access, and personal Windows machines often end up falling back to passwords or weaker second-factor habits.

Entra passkeys on Windows give admins a better answer. Microsoft says users can register multiple passkeys for multiple work or school accounts on the same PC, and that the feature is governed through the Entra passkey policy. That makes it easier to separate who can enroll, what authenticators are allowed, and where the rollout starts.

The broader security point is that device-bound credentials make session theft and credential replay much harder than the old password model. They do not solve every problem. Malware on the device, weak recovery flows, and bad privilege design still matter. But they raise the floor in a place where many firms still need help.

What admins still need to plan around

This is not a flip-the-switch rollout. Microsoft says the preview is opt-in. Admins need to explicitly allow the Windows Hello AAGUIDs in a passkey profile, and attestation cannot be enforced for these Windows Hello passkeys during preview.

There are also limits that matter in practice. Microsoft says these passkeys are device-bound and do not sync across devices. They also do not replace Windows Hello for Business for managed corporate sign-in. In other words, this is a complement for edge cases and mixed-device access, not a full rewrite of an existing Windows Hello for Business program.

That may sound less dramatic than the marketing headline. Fine. Identity teams do not need drama. They need fewer phishable paths, fewer reset loops, and a rollout that maps to real device mess. On that measure, this preview is more useful than flashy.