Changing the language and keyboard layout in the BitLocker Device Encryption pre-boot environment

Localization support in Windows 10 is pretty good with most part of the operating system and windows platform supporting user-defined locale settings. By installing a language pack, you can change the interface language everywhere in Windows — except in the BitLocker Device Encryption pre-boot environment.

You normally can’t encrypt your Windows operating system drive with BitLocker unless your device has a Trusted Platform Module (TPM) device. However, you can configure Windows to prompt for a password in the pre-boot stage rather than relying on a TPM by enabling the enabling the Windows Components: BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup system policy.

When booting your device in such a setup you’ll be prompted with the following screen:

Pre-boot screen prompting for BitLocker password

This simple looking screen is very limited when it comes to input. You can’t bring up the Windows on-screen keyboard, the Windows touch-screen keyboard, or change the keyboard input layout. You can’t use compositing keys or even press Ctrl+A to select all text in the input field. Normal conventions for input doesn’t apply on this screen.

This can be a problem for bilingual users who use multiple keyboard layouts or a single keyboard layout different from the Windows display language, and for users with custom keyboard layouts. Any custom layout would be installed onto the encrypted disk so it makes sense that it won’t be available on this screen. However, you don’t have any indication of what keyboard layout you’re using and input is obviously masked with * as this is a password field.

As you can see above, there also isn’t a keyboard layout indicator anywhere on the pre-boot screen.

What makes this more confusing is that the keyboard layout on this screen follows the default keyboard layout of the Windows installation media language, and not the Windows user, default, or system language and locale or keyboard layout settings. In other words, the only way to change the language and thus the keyboard layout on this screen is to download a Windows installation media which uses your preferred keyboard layout and reinstall Windows.

Notably, when configuring a pre-boot environment password for Windows Device Encryption; you’ll be prompted to use letters, numbers, and special symbols. There is no warning or information provided if you’re using a keyboard layout that is different from the keyboard layout that you’ll be required to input on the boot screen.

Depending on your keyboard layout and language settings, it may in fact be impossible for you to input the same password again in the BitLocker pre-boot environment as you created for your system inside Windows. Unless you have your device’s BitLocker recovery key at the ready, you may be permanently locked out of your Windows installation.

Dialog prompting for new BitLocker password

So there are a lot of different problems with the BitLocker pre-boot environment and localization. It’s a pretty big deal that you can’t change the keyboard layout and language independently of each other. It’s even more of a problem when you can’t change the language without reinstalling the operating system from scratch. On top of these issues, the user isn’t notified in any way about these limitations when setting up their encryption password.

If the user were told to that they’d be limited to another keyboard layout for their password, they could avoid including symbols and characters/numbers in their password that vary between their own keyboard layout and the pre-boot environment keyboard layout. This isn’t a good solution, but it would at least help the user avoid locking them out of their own computers.

I can’t really fault Microsoft for not making localization work perfectly in an optional feature that has to be enabled by group policy. However, Microsoft should at least have provided their users with more information about the limitations of this feature to help people avoid characters and symbols in passwords that won’t work in.


You can leave feedback to Microsoft and vote on this report in the Windows Feedback Hub (link only works on Windows 10) to let them know you consider this an important issue.