I know this is an issue with the chocolatey package, but for some reason I can't comment there, so I just wanted to share this in case someone has the same issue:

I was diagnosing why my Yubikey FIDO2 did not work through the agent, but works when I explicitly specify the key to ssh on the command line.

The error I got is sign_and_send_pubkey: signing failed for ECDSA-SK "yubikey-5-nfc-primary" from agent: agent refused operation. I enabled LogLevel DEBUG3 in sshd_config and then saw these messages in event log:

ssh-agent: error: CreateProcessAsUserW failed error:1314
ssh-agent: error: start_helper: failed to spwan process C:\\Program Files\\OpenSSH\\ssh-sk-helper.exe
ssh-agent: error: cannot sign using retrieved key

After some diagnosis I found out that my ssh-agent service does not have the correct privileges when installed through chocolatey.

After installation from chocolatey:

>sc qprivs ssh-agent
[SC] QueryServiceConfig2 SUCCESS
SERVICE_NAME: ssh-agent
 PRIVILEGES :

But when I install the .msi package from this repo or using winget everything seems to work fine:

>sc qprivs ssh-agent
[SC] QueryServiceConfig2 SUCCESS
SERVICE_NAME: ssh-agent
 PRIVILEGES : SeAssignPrimaryTokenPrivilege
 : SeTcbPrivilege
 : SeBackupPrivilege
 : SeRestorePrivilege
 : SeImpersonatePrivilege

This can be fixed using this command:

sc privs ssh-agent SeAssignPrimaryTokenPrivilege/SeTcbPrivilege/SeBackupPrivilege/SeRestorePrivilege/SeImpersonatePrivilege

One thing I noticed that is broken without these privileges is ssh-agents ability to spawn the ssh-sk-helper for FIDO2 security keys as the current user.