Event banner
Event details
We are investigating an issue where some users see “Other user” as the default login option on the Windows sign-in screen, even though they are the primary user. This occurs when both Windows Hello for Business (WHfB) and a physical security key are enabled.
Observed scenarios:
With both WHfB and a security key plugged in, the system defaults to “Other user” and prompts for the security key PIN.
If WHfB is enabled and no key is inserted, the expected user is shown and WHfB methods (PIN/biometric) are available.
If WHfB is disabled but a key is inserted, the expected user is shown and the key PIN prompt appears.
Key insight:
The issue only occurs when both WHfB and a security key are present. Windows prioritises the security key flow, which triggers the “Other user” screen.
Question:
Is this behaviour expected by design, and is there a recommended policy or configuration to prevent Windows from defaulting to “Other user” when both WHfB and security keys are available
MicrosoftCarol254 Thanks for the question. This is expected behavior. When Windows Hello for Business and a security key (like FIDO2, for example) are both enabled, Windows prioritizes its credential providers (like PIN or biometrics, etc...) and may not immediately associate the plugged-in FIDO2 key with a specific user. However, when WHfB is disabled (or not enabled) then Windows relies on standard credential providers, including the security key, and therefore associates the key with the user immediately.
You can use the PolicyCSP or Settings Catalog (preferred) to configure the default credential provider. The credential providers are in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers or you can use a local GPO if you want to test it first: Computer Configuration > Administrative Templates > System > Logon.
Hope this helps.