In this article I present a simple solution to prevent that the keyboard layout changes unexpectedly on the Windows lock screen. This information is intended for Windows Server 2016 and RDP and ICA sessions. It may apply to other operating systems as well.
| Note: for other keyboard related issues please see the article Solving keyboard layout issues in an ICA or RDP session on this website. |
The issue
The situation is as follows:
- You start an RDP or ICA session as an administrator or user.
- The keyboard language in the active session is correct (for example German):
- However, as soon as the screen is locked, the keyboard language changes to another language (for example English).
The cause
The exact cause for this issue is unknown to me. What is sure though is that it can only happen when multiple languages and/or language packs are in play. Also, the lock screen runs in the context of the Local System account (as opposed to the active session that runs in the user’s own context). In the solution below we modify settings that belong to the Local System account to solve this issue.
This issue is reported on the Internet here and there. I even opened a case with Microsoft concerning this issue, but so far it did not lead to any solution. All I have is a workaround which seems to do the trick.
The solution (or workaround to be more precise)
The workaround to solve this issue is to remove the following two registry keys:
- HKU\.DEFAULT\Control Panel\International\User Profile
- HKU\.DEFAULT\Control Panel\International\User Profile System Backup
| Important! This method is NOT supported by Microsoft. Although I am not aware of any negative impact, removing these registry keys is at your own risk. I also strongly suggest that you test this solution before implementing it in production. |
You can remove these keys using a Microsoft Group Policy Preference (or you can use Workspace Environment Manager or another product).
As you can see in the screenshot, the keys are removed in the User Configuration section instead of Computer Configuration. The reason for this is that these keys are recreated at each logon. This applies to both standard users as well as administrators. Therefore, this Group Policy should be applied to all logons.
The easiest way to make sure that the Group Policy is applied to both users and administrators is to set the scope to Authenticated Users. In case you have separate Group Policies for administrators and users you will have to include the removal of the aforementioned registry keys in multiple Group Policies.
Now, you may wonder how it is possible that standard users are able to delete registry keys that are located in the HKEY_Users hive. More importantly, the path is HKU\.Default, which contains the registry settings for the Local System account (the lock screen runs under the Local System account).
The reason why a standard user can remove keys from the HKU hive is because User Group Policies are not applied using the security context of the current user. Instead, Group Policies are executed in the local system security context.
This behavior was changed with Microsoft Security Update MS16-072 in June 2016. Before June 2016, User Group Policies were executed in the current user’s security context. Since June 2016, User Group Policies which scope is not set to Authenticated Users still need to grant either the group Authenticated Users or Domain Computers read access to the Group Policy.
This change is also the reason why the option Run in logged-on user’s security context exists in the Common tab of a Group Policy Preference. This option can be used to force a Group Policy Preference to be applied in the security context of the current user instead of the local system.
In case anyone has a better way how to prevent the keyboard layout from changing on the Windows lock screen and wants to share it with the rest of us than please contact me so I can add it to this article.
Dennis Span works as a Lead Account Technology Strategist at Cloud Software Group in Vienna, Austria. He holds multiple Citrix certifications (CCE-V). Dennis has been a Citrix Technology Advocate (CTA) since 2017 (+ one year as Citrix Technology Professional, CTP). Besides his interest in virtualization technologies and blogging, he loves spending time with his family as well as snowboarding, playing basketball and rowing. He is fluent in Dutch, English, German and Slovak and speaks some Spanish.
I don’t know the procedures for doing this one and actually I have same problem just that the change language bar disappear completely so I will only type with English, and the password of the system is in Arabic.
Pls help me so I can retrieve my password. Thank u soo.much
Hi Abdussamad,
If you want to add the Arabic keyboard on the Windows lock screen you have to add it to the Windows registry. Open regedit.exe and go to HKEY_USERS\.DEFAULT\Keyboard Layout\Preload. To add a new keyboard, you have to add a new REG_SZ value. The name of this REG_SZ value should a number and should be one higher than the highest existing REG_SZ value (e.g. 1, or 2 or 3, etc.). The keyboard identifier for Arabic is 00000401 (https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-language-pack-default-values). I hope this helps you.