In this article I present a simple solution to prevent that the keyboard layout changes unexpectedly on the Windows lock screen. This information is intended for Windows Server 2016 and RDP and ICA sessions. It may apply to other operating systems as well.
The situation is as follows:
- You start an RDP or ICA session as an administrator or user.
- The keyboard language in the active session is correct (for example German):
- However, as soon as the screen is locked, the keyboard language changes to another language (for example English).
The exact cause for this issue is unknown to me. What is sure though is that it can only happen when multiple languages and/or language packs are in play. Also, the lock screen runs in the context of the Local System account (as opposed to the active session that runs in the user's own context). In the solution below we modify settings that belong to the Local System account to solve this issue.
This issue is reported on the Internet here and there. I even opened a case with Microsoft concerning this issue, but so far it did not lead to any solution. All I have is a workaround which seems to do the trick.
The solution (or workaround to be more precise)
The workaround to solve this issue is to remove the following two registry keys:
- HKU\.DEFAULT\Control Panel\International\User Profile
- HKU\.DEFAULT\Control Panel\International\User Profile System Backup
This method is NOT supported by Microsoft. Although I am not aware of any negative impact, removing these registry keys is at your own risk. I also strongly suggest that you test this solution before implementing it in production.
You can remove these keys using a Microsoft Group Policy Preference (or you can use Workspace Environment Manager or another product).
As you can see in the screenshot, the keys are removed in the User Configuration section instead of Computer Configuration. The reason for this is that these keys are recreated at each logon. This applies to both standard users as well as administrators. Therefore, this Group Policy should be applied to all logons.
The easiest way to make sure that the Group Policy is applied to both users and administrators is to set the scope to Authenticated Users. In case you have separate Group Policies for administrators and users you will have to include the removal of the aforementioned registry keys in multiple Group Policies.
Now, you may wonder how it is possible that standard users are able to delete registry keys that are located in the HKEY_Users hive. More importantly, the path is HKU\.Default, which contains the registry settings for the Local System account (the lock screen runs under the Local System account).
The reason why a standard user can remove keys from the HKU hive is because User Group Policies are not applied using the security context of the current user. Instead, Group Policies are executed in the local system security context.
This behavior was changed with Microsoft Security Update MS16-072 in June 2016. Before June 2016, User Group Policies were executed in the current user's security context. Since June 2016, User Group Policies which scope is not set to Authenticated Users still need to grant either the group Authenticated Users or Domain Computers read access to the Group Policy.
This change is also the reason why the option Run in logged-on user's security context exists in the Common tab of a Group Policy Preference. This option can be used to force a Group Policy Preference to be applied in the security context of the current user instead of the local system.
In case anyone has a better way how to prevent the keyboard layout from changing on the Windows lock screen and wants to share it with the rest of us than please contact me so I can add it to this article.