Same problem here. Does anyone have a suggestion? Thank you! Edit: Just found this doc, it is not supported. https://video2.skills-academy.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows#unsupported-scenarios
Windows Security Key Login with Multiple Accounts on Key
We are currently implementing security key logins for Windows 11 using YubiKey FIDO keys on our AutoPilot deployed AzureAD only joined devices. So far the implementation is working well for the majority of our users.
Our administrators have separate high privilege administrator accounts so they have two AzureAD accounts associated with their YubiKey. When logging into websites and virtual machines they are able to select which account to use and therefore use the right account to access services.
The issue we are facing is with Windows logins. When using a YubiKey to login they are logged into the last account the user logged into the machine with, which is typically the 'wrong' account - normally their administrative account, rather than their low privileges account. This occurs even when the low privileges account is selected from the account picker on the Windows login screen.
How can Windows logins be configured to allow a single YubiKey to support multiple Windows accounts?
3 answers
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
-
-
Carsten S 0 Reputation points
2023-11-10T12:33:53.5866667+00:00 It seems that Windows logon uses the account which has been most recently added to the Yubikey. So: reset your Yubikey, re-register your administrative account(s) first, then finally register your normal account.
If you don't want to completely reset and re-register all your admin accounts, it might also work to only remove your normal account credentials with ykman.exe (https://tinyurl.com/mvw2bdmc) and re-register it so that it becomes the most recently added. But I have not tried this yet.