- BYOD policies just got more secure with Entra access keys for Windows Hello
- Windows devices will be more resistant to phishing and login credentials
- Microsoft Authenticator scans for rooted and jailbroken devices
Windows devices gain native access key support thanks to the rollout of Microsoft Entra keys to all supported devices. By making use of Windows Hello, users can use their face scan, fingerprint or PIN as a local authentication.
The move allows employees to use bring-your-own-device (BYOD) policies to secure their work accounts without handing over full device management to their company.
But Microsoft Authenticator is on the hunt for rooted and jailbroken devices and will wipe your Entra credentials off the face of the earth.
The article continues below
Entra access keys are now easier and more secure
“We are introducing Microsoft Entra passkeys on Windows to enable phishing-resistant login to Entra-protected resources. This update allows users to create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN),” Microsoft announced.
This new access key-friendly experience does away with passwords and helps protect against traditional phishing and credential attacks. The FIDO2 private key required to access your account is securely stored in a Trusted Platform Module or secure enclave on your device, meaning they cannot be transferred from the device over a network.
Microsoft Entra on Windows devices is currently enrolled and will go into public preview around mid-March to late April 2026. To enroll, IT administrators must do the following:
- Enable the access keys (FIDO2) authentication method in the Entra Authentication Methods policies
- Create an access key profile with the required Windows Hello AAGUIDs
- Assign the profile to the relevant groups
Rowed units will be deleted
It’s not all good news, though. Microsoft Authenticator now scans for jailbroken or rooted devices and will warn, block, and then automatically delete Entra credentials from devices it deems unworthy.
Microsoft Authenticator for Android already scans devices, but the rollout to iOS devices won’t start until April 2026.
If your device turns out to be rooted or jailbroken, the following steps will happen at ~1 month intervals:
- Your device will display a warning message that the device is rooted or jailbroken and that the device will be bricked.
- Users will then be blocked from accessing Microsoft Entra credentials or using Microsoft Authenticator to sign in.
- The device will then go into ‘Wipe Mode’ and will scrub all existing Entra credentials from the device.
The process is automatic and there is no opt-out. While Microsoft has its best intentions at heart, especially since rooted or jailbroken phones can bypass critical security checks, there are some good reasons why users seek to jailbreak their device.
Some apps and software don’t play well with certain operating systems, especially those designed to keep everything nice, tidy, organized and verified in its own ecosystem – such as Android.
speaks to The registersaid a Microsoft spokesperson, “Microsoft Authenticator is not officially supported on GrapheneOS, and Entra accounts may be affected in the future on devices running GrapheneOS that are registered as rooted.”
“Microsoft uses a series of local health and anti-tampering checks to detect rooted or jailbroken devices. As new threats emerge, these protections are updated continuously. To help limit circumvention and maintain effectiveness, Microsoft does not publish specific detection methods.”
The best password manager for all budgets
