Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, January 16, 2019 11:42 AM | 1 vote
Hi
Is there any way of overcoming the issue whereby the keyboard layout for Bitlocker PIN entry is English US?
My understanding is that the keyboard layout for the Bitlocker pre boot screen is taken from the installation media language, not the installed OS.
Our installed OS is English UK, from an English International (not US) source media. Windows image created via MDT and deployed using SCCM Current Branch.
So from where is Bitlocker getting the keyboard layout? WinPE perhaps? If so .. which one? MDT build/capture or SCCM OSD?
We're using Bitlocker with enhanced PIN so clearly the keyboard mismatch is going to cause issues with users. For sure we can release comms telling them to avoid certain characters but it's far from an ideal situation. Nor do we wish to add an additional input language.
Thanks in advance for any advice.
All replies (7)
Wednesday, January 16, 2019 12:33 PM ✅Answered
Hi.
I know all the details, so I think I can fully answer this.
The preboot PIN always assumes EN-US layout. No way around.
So what you can do and what Microsoft recommends, is to enter the enhanced PIN after switching to EN-US within windows (you'll need to install that keyboard layout, first). Let's call that Plan A.
Plan B would be to abandon enhanced PINs and use numeric PINs. Honestly, most admins I saw here are unsure about the implications of doing so. Numeric PINs must be 6 or more digits, so that's at least 1,000,000 combinations and only (due to TPM lockout) 32 tries to brute force, leaving you secure enough, even with only 6 digits.
Plan C would be to set the enhanced PIN using a script that translates letters of EN-UK to EN-US. To give you an idea, i will show you how I did this (the following is extracted from my script, which translates DE-DE to EN-US):
$newpwclear = $newpwclear -creplace "@",""
$newpwclear = $newpwclear -creplace '"','@'
$newpwclear = $newpwclear -creplace "~",""
$newpwclear = $newpwclear -creplace "€",""
$newpwclear = $newpwclear -creplace "{",""
$newpwclear = $newpwclear -creplace "\",""
$newpwclear = $newpwclear -creplace "]",""
$newpwclear = $newpwclear -creplace "\","]"
$newpwclear = $newpwclear -creplace "}",""
$newpwclear = $newpwclear -creplace "\",""
$newpwclear = $newpwclear -creplace "z","ô"
$newpwclear = $newpwclear -creplace "y","z"
$newpwclear = $newpwclear -creplace "ô","y"
$newpwclear = $newpwclear -creplace "Z","ô"
$newpwclear = $newpwclear -creplace "Y","Z"
$newpwclear = $newpwclear -creplace "ô","Y"
$newpwclear = $newpwclear -creplace "ü","["
$newpwclear = $newpwclear -creplace "Ü","{"
$newpwclear = $newpwclear -creplace ":",">"
$newpwclear = $newpwclear -creplace "Ö",":"
$newpwclear = $newpwclear -creplace ";","<"
$newpwclear = $newpwclear -creplace "ö",";"
$newpwclear = $newpwclear -creplace "ô",";"
$newpwclear = $newpwclear -creplace "\",""
$newpwclear = $newpwclear -creplace "'","|"
$newpwclear = $newpwclear -creplace "Ä",'"'
$newpwclear = $newpwclear -creplace "'",""
$newpwclear = $newpwclear -creplace "ä","'"
$newpwclear = $newpwclear -creplace "#","\
$newpwclear = $newpwclear -creplace "-","ô"
$newpwclear = $newpwclear -creplace "&","^"
$newpwclear = $newpwclear -creplace "/","&"
$newpwclear = $newpwclear -creplace "ô","/"
$newpwclear = $newpwclear -creplace "§","#"
$newpwclear = $newpwclear -creplace "_","ô"
$newpwclear = $newpwclear -creplace "\","_"
$newpwclear = $newpwclear -creplace "ô","?"
$newpwclear = $newpwclear -creplace "\","}"
$newpwclear = $newpwclear -creplace "\","*"
$newpwclear = $newpwclear -creplace "\","("
$newpwclear = $newpwclear -creplace "=",")"
$newpwclear = $newpwclear -creplace "ß","-"
You get the idea, I think.
Wednesday, January 16, 2019 12:37 PM
Hi Ronald
Thank you very much for this detailed reply, it's very much appreciated.
I'll discuss with our security people the options we have.
Thanks again!
Thursday, January 17, 2019 3:03 AM | 1 vote
Hi,
Please refer to this link and check if it help:
Changing the language and keyboard layout in the BitLocker Device Encryption pre-boot environment
Note: This is a third-party link and we do not have any guarantees on this website. This is just for your convenience. And Microsoft does not make any guarantees about the content.
Best reagrds,
Yilia
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, January 17, 2019 8:10 AM
Yilia, did you read your own link? It only confirms the problem but has no solution.
@epoch: to add to the reason we use this script for: if someone has an enhanced PIN going yeah4234 and types that into my script's input, it will be converted to zeah4234 and set that way. So at the preboot screen, the user types yeah4234 and since our german keyboard has a "y" where the EN-US one has a "Z", Bitlocker gets the input as zeah4234, which is exactly what my script has set, so it matches and boots. Just in case this was not made clear.
Thursday, January 17, 2019 8:51 AM
Hi Ronald
Thanks for the additional explanation.
Wednesday, September 11, 2019 9:25 AM
This post is not an answer. It's simply confirmation that the issue exists.
Thursday, March 19, 2020 10:42 PM
This is a Design limitation. There is No fix or a resolution for this specific problem.
As per the BitLocker recommendation we advise that you set your PIN as per EN-US keyboard layout or use a numerical PIN if you are not able to enter an enhanced PIN on the pre-boot screen. When setting a BitLocker PIN by using the BitLocker setup wizard, the Manage-Bde command-line tool, or through Windows Management Instrumentation (WMI) remote administration, you can use the wide character set. However, system firmware, either BIOS or Unified Extensible Firmware Interface (UEFI), may only support a standard EN-US keyboard and keymap during system startup. Additionally, BIOS-based systems are limited to 7-bit ASCII input during PIN entry. Thus, the use of either non-English characters or keys that differ in position from the EN-US keymap, such as QWERTZ and AZERTY keyboards, may cause boot-time PIN entry to fail.
If your computer is affected by this limitation, it should be identified during the system check run by the BitLocker setup wizard. If it is not identified during the system check and the PIN is not able to be entered, you will need to supply the recovery key to unlock the drive. We recommend that users set their keyboard layout to EN-US during enhanced PIN entry to avoid PIN entry failure in the pre-boot environment. If you are unable to enter an enhanced PIN from your keyboard even after setting the keyboard layout to EN-US, you must use a numeric-only PIN.
Refer: /en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan
The Use of Foreign Language Keyboard in PreBoot Environment (Not WinRE) is not possible due to limitations of character set supported by BOOTMGR. Allowing use of Foreign Keyboard during Pre-boot would mean coding the BOOTMGR in such a way that it accepts the character sets of all the languages. This would be a complex change and would add a significant size to the BOOTMGR which would not be desirable. This is the reason why Microsoft has not included changing the Keyboard layout during pre-boot.