Some information, should it be relevant to others:
- I'm able to login using a YubiKey 5 NFC security key, when in the corporate network (office or VPN), internet only or when completely offline but had associated the key a while ago and subsequently installed updated to now be running Windows 10 v20H2.
- New user that is running Windows 10 v20H2, also with a YubiKey 5 NFC, is unable to login when they do not have line of sight to AD servers.
It's also massively confusing getting users to understand that only the last Azure AD / Office 365 account associated with a Security Key to be the one that Windows attempts to use during login. This means that users that get assigned priviledged Azure AD accounts (eg mailto:adm-azure-xxx@blahblah) need to jump through the following hoops:
- Browse to https://aka.ms/mysecurityinfo via incognito tab, login as new account (mailto:adm-azure-xxx@blahblah) and then register the security key
- Browse to https://aka.ms/mysecurityinfo and login using day-to-day account, delete the associated security key and then immediately add it back again
Windows login will then authenticate using the day-to-day account as it was the last account associated with the key...
Microsoft
