Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
widely-deployed-product-advisorystandards-framework-update

Microsoft and Bitwarden Expand Windows 11 Enterprise Authentication and Endpoint Onboarding Capabilities

Updated 2d agoFirst seen Mar 5, 20263 sources

Bitwarden announced support for passkey-based login on Windows 11, enabling phishing-resistant, passwordless sign-in using passkeys stored in a user’s encrypted Bitwarden vault. The flow uses the Windows “security key” option and a QR-code confirmation from a mobile device, with authentication performed via cryptographic challenge/response rather than transmitting shared secrets; Bitwarden positions this as reducing credential theft risk from phishing. The capability depends on Microsoft’s Windows 11 passkey provider support and requires specific enterprise conditions, including Entra ID–joined devices, FIDO2 security key sign-in enabled, and a registered Entra ID passkey stored in Bitwarden.

Microsoft also introduced an updated Defender deployment tool for Windows aimed at streamlining large-scale endpoint onboarding into Microsoft Defender. The tool packages onboarding information into a single downloadable .exe (reducing the need for separate onboarding files across modern and legacy systems), supports silent/non-interactive deployment via tools like Group Policy or Configuration Manager, and adds administrative controls to reduce risk if onboarding packages are shared externally (e.g., identifiers/keys, tracking, and package expiration up to one year). Microsoft Defender portal updates add improved guidance and visibility, with onboarding events surfaced in device timelines and advanced hunting to help teams monitor progress and troubleshoot errors during rollout.

Share:
Microsoft and Bitwarden Expand Windows 11 Enterprise Authentication and Endpoint Onboarding Capabilities
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

4 events from the most recent confirmed update back to the earliest known activity.

4 EVENTS
Mar 4, 20264mo ago

Bitwarden announces Windows 11 passkey sign-in support

Bitwarden announced support for signing into Windows 11 with passkeys stored in a Bitwarden vault, using a QR-code-based flow and positioning the feature as phishing-resistant for Entra ID enterprise environments. The feature is available across Bitwarden plans, including free, for Entra ID-joined devices with FIDO2 security key sign-in enabled.

Mar 3, 20264mo ago

Microsoft updates Defender deployment tool for Windows

Microsoft updated its Defender deployment tool for Windows to use a single downloadable executable for onboarding, add silent deployment support, improve visibility in device timeline and advanced hunting, and introduce package governance controls such as identifiers and optional expiration.

Mar 1, 20264mo ago

Microsoft begins rolling out Windows passkey login during March

Bitwarden said Microsoft's Windows passkey login capability would roll out during March 2026, with availability depending on an organization's Microsoft Entra ID configuration.

Nov 1, 20258mo ago

Microsoft introduces Windows 11 passkey provider API

Microsoft introduced a Windows 11 passkey provider API that allows third-party password managers such as Bitwarden and 1Password to store and manage passkeys for websites, apps, and eventually OS sign-in workflows.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

8 LINKEDOpen in app
Affected products
4 linked
Windows 11Windows 10Microsoft Entra Id1password
Organizations
4 linked
Microsoft CorporationBitwardenMeta Platforms1password
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.