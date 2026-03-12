BYOD policies just got more secure with Entra passkeys for Windows Hello

Windows devices will more resistant to phishing and credential stuffing

Microsoft Authenticator is scanning for rooted and jailbroken devices

Windows devices are getting native passkey support thanks to the rollout of Microsoft Entra passkeys to all supported devices. By making use of Windows Hello, users can use their facial scan, fingerprint, or PIN as a local authenticator.

The move allows employees making use of bring-your-own-device (BYOD) policies to secure their work accounts without handing over full device management to their company.

But Microsoft Authenticator is on the hunt for rooted and jailbroken devices, and will wipe your Entra credentials from the face of the earth.

Entra passkeys is now easier and more secure

“We're introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. This update allows users to create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN),” Microsoft announced.

This new passkey-friendly experience does away with passwords altogether, helping to protect against traditional phishing and credential stuffing attacks. The FIDO2 private key required to access your account is stored securely in a Trusted Platform Module or secure enclave on your device, meaning they cannot be transmitted from the device over a network.

Microsoft Entra on Windows devices is currently opt-in and will enter public preview around mid-March to late April 2026. To enroll, IT administrators need to do the following:

Enable the Passkeys (FIDO2) authentication method in the Entra Authentication Methods policies Create a passkey profile with the required Windows Hello AAGUIDs Assign the profile to the appropriate groups

Cracked devices will be wiped

It’s not all good news though. Microsoft Authenticator is now scanning for jailbroken or rooted devices, and will warn, block, and then automatically wipe Entra credentials from devices it deems unworthy.

Microsoft Authenticator for Android is already scanning devices, but the rollout for iOS devices doesn’t start until April 2026.

If your device is found to be rooted or jailbroken, the following steps will happen in ~ 1 month increments:

Your device will display a warning message stating that the device is rooted or jailbroken, and that the device will be blocked. Users will then be blocked from accessing Microsoft Entra credentials or using Microsoft Authenticator to sign in. The device will then enter ‘Wipe Mode’, and will scrub all existing Entra credentials from the device.

(Image credit: Microsoft)

The process is automatic, and there is no opt-out. While Microsoft has its best intentions at heart, especially as rooted or jailbroken phones can circumvent critical security controls, there are some good reasons users seek to crack their device.

Some apps and software don't play well with certain operating systems, especially those designed to keep everything neat, tidy, organized, and verified within its own ecosystem - such as Android.

Speaking to TheRegister, a Microsoft spokesperson said, “Microsoft Authenticator is not officially supported on GrapheneOS and Entra accounts may be impacted in the future on devices running GrapheneOS that are detected as rooted.”

“Microsoft uses a range of local health and anti‑tampering checks to detect rooted or jailbroken devices. As new threats emerge, these protections are continuously updated. To help limit circumvention and maintain effectiveness, Microsoft does not publicly disclose specific detection methods.”