When you said... "I tried to register my external USB biometric authenticator with google passkey on windows 10 (version 10.0.19045.3208), it fails to register" ; where do you see the failure? Is the failure being seen from the server?
I believe Windows 10 uses Microsoft Webauthn API Version 2 and Windows 11 uses Microsoft Webauthn API Version 3/4
I would start by looking at the input to WebAuthnMakeCredential.
In both API Level 2 and API Level 3/4 the WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS structure contains...
// Optional. Require key to be resident or not. Defaulting to FALSE;
API Level 4 added
// Optional. Prefer key to be resident. Defaulting to FALSE. When TRUE,
// overrides the above bRequireResidentKey.
In your implementation, what are the values being passed into the WebAuthnMakeCredential API for Win 10 and Win 11 for the WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS fields mentioned above? Also in your implementation what version are you specifying for the DWORD dwVersion in the WEBAUTHN_AUTHENTICATOR_MAKE_CREDENTIAL_OPTIONS option structure for both OS's.
Using your USB monitor, can you see if the rk option is going to the authenticator and is it being set properly (for both OS's).
After the investigation of the input, I would look at the result of the WebAuthnMakeCredential API call (which is the WEBAUTHN_CREDENTIAL_ATTESTATION ) and the HRESULT.
I assume the HRESULT from the API is S_OK.
Microsoft introduced a BOOL bResidentKey in the WEBAUTHN_CREDENTIAL_ATTESTATION structure for its WebAuthn API Level 3.
This bResidentKey value should be present in the response for WebAuthnMakeCredential for Windows 11 and missing in Windows 10 responses. You may want to check the response DWORD dwVersion in the returned WEBAUTHN_CREDENTIAL_ATTESTATION for both your Windows 10 and Windows 11.
The actual resident key response is sent back to the relying party in the clientExtensionResults dictionary.
Since Windows 10 uses Microsoft Webauthn API Version 2, and that api version does not support the bResident key field in the WEBAUTHN_CREDENTIAL_ATTESTATION structure, I would expect credProps[rk] to be missing in the response to the relying party or if rk is present it would be false
Windows 11 should have a value for bResidentKey defined in the WEBAUTHN_CREDENTIAL_ATTESTATION return structure and the value of rk should be returned in the JSON response.
Hope that helps a little