Microsoft is introducing Entra passkeys to Windows – so tough luck if your device is jailbroken, as your credentials will soon be gone forever | Tech Radar

Overview

Microsoft is introducing Entra passkeys to Windows – so tough luck if your device is jailbroken, as your credentials will soon be gone forever

Microsoft is making signing in easier and more secure

Details

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

BYOD policies just got more secure with Entra passkeys for Windows Hello

Windows devices will more resistant to phishing and credential stuffing

Microsoft Authenticator is scanning for rooted and jailbroken devices

Windows devices are getting native passkey support thanks to the rollout of Microsoft Entra passkeys to all supported devices. By making use of Windows Hello, users can use their facial scan, fingerprint, or PIN as a local authenticator.

The move allows employees making use of bring-your-own-device (BYOD) policies to secure their work accounts without handing over full device management to their company.

But Microsoft Authenticator is on the hunt for rooted and jailbroken devices, and will wipe your Entra credentials from the face of the earth.

Microsoft has a plan to toughen Windows 11's defenses — but will it work?

Authentication in 2026 - moving beyond foundational MFA to tackle the new era of attacks

Still using Windows 10? Microsoft is automatically replacing Secure Boot certificates on older PCs ahead of expiration, so you might want to update ASAP

“We're introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. This update allows users to create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN),” Microsoft announced.

This new passkey-friendly experience does away with passwords altogether, helping to protect against traditional phishing and credential stuffing attacks. The FIDO2 private key required to access your account is stored securely in a Trusted Platform Module or secure enclave on your device, meaning they cannot be transmitted from the device over a network.

Microsoft Entra on Windows devices is currently opt-in and will enter public preview around mid-March to late April 2026. To enroll, IT administrators need to do the following:

Enable the Passkeys (FIDO2) authentication method in the Entra Authentication Methods policies

Create a passkey profile with the required Windows Hello AAGUIDs

It’s not all good news though. Microsoft Authenticator is now scanning for jailbroken or rooted devices, and will warn, block, and then automatically wipe Entra credentials from devices it deems unworthy.

Microsoft Authenticator for Android is already scanning devices, but the rollout for i OS devices doesn’t start until April 2026.

If your device is found to be rooted or jailbroken, the following steps will happen in ~ 1 month increments:

Your device will display a warning message stating that the device is rooted or jailbroken, and that the device will be blocked.

The device will then enter ‘Wipe Mode’, and will scrub all existing Entra credentials from the device.

The process is automatic, and there is no opt-out. While Microsoft has its best intentions at heart, especially as rooted or jailbroken phones can circumvent critical security controls, there are some good reasons users seek to crack their device.

Some apps and software don't play well with certain operating systems, especially those designed to keep everything neat, tidy, organized, and verified within its own ecosystem - such as Android.

Speaking to The Register, a Microsoft spokesperson said, “Microsoft Authenticator is not officially supported on Graphene OS and Entra accounts may be impacted in the future on devices running Graphene OS that are detected as rooted.”

“Microsoft uses a range of local health and anti‑tampering checks to detect rooted or jailbroken devices. As new threats emerge, these protections are continuously updated. To help limit circumvention and maintain effectiveness, Microsoft does not publicly disclose specific detection methods.”

➡️ Read our full guide to the best password manager

1. Best overall: Nord Pass
2. Best for mobile: Robo Form
3. Best for syncing and sharing: Keeper

Benedict has been with Tech Radar Pro for over two years, and has specialized in writing about cybersecurity, threat intelligence, and B2B security solutions. His coverage explores the critical areas of national security, including state-sponsored threat actors, APT groups, critical infrastructure, and social engineering.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the Centre for Security and Intelligence Studies at the University of Buckingham, providing him with a strong academic foundation for his reporting on geopolitics, threat intelligence, and cyber-warfare.

Prior to his postgraduate studies, Benedict earned a BA in Politics with Journalism, providing him with the skills to translate complex political and security issues into comprehensible copy.

You must confirm your public display name before commenting

1DDR5 RAM hits painful new high in pricing — and it looks like the relentless price-hike misery will continue

2 Microsoft has recommitted to its Xbox Backwards Compatibility Program going forward and will be 'rolling out new ways to play some of the most iconic games from our past'

31348 Ex Voto's stylish sword fighting and strong premise caught my attention, but the game's awful PC performance tainted the experience

4I've hunted out the best 13-inch Mac Book Air cases and bags to keep your new laptop protected

5'Printers are the security blind spot many SMBs overlook': SMBs are ignoring print security — and that could be a major problem for them

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

• Microsoft is introducing Entra passkeys to Windows – so tough luck if your device is jailbroken, as your credentials will soon be gone forever

• Microsoft is making signing in easier and more secure

• When you purchase through links on our site, we may earn an affiliate commission

• BYOD policies just got more secure with Entra passkeys for Windows Hello

• Windows devices will more resistant to phishing and credential stuffing