It doesn't work. This is in the Recovery Environment, not in Desktop Environment. This feature appears to have been removed in Windows 11.
Videos
It doesn't work. This is in the Recovery Environment, not in Desktop Environment. This feature appears to have been removed in Windows 11.
Hello Hanselosz,
My name is Nada I'm here to help you.
I'm sorry that you are experiencing this issue, and I will try my best to assist you.
Kindly press and hold the Windows key and press the Spacebar key. You should see your keyboard layout change options.
Just let us know if you need further assistance, I'll be more than happy to assist you.
So a user reports that a Bitlocker screen has come up asking for a recovery key.
Figures, I'd ask them for the first 8 chars, but they send a photo.
First time I have ever seen, "You're locked out!" then being prompted for a Bitlocker recovery key.
Saying
You're locked out!
Enter the recovery key to get going again (Keyboard Layout: US)
(enter here)
The wrong sign-in info has been entered too many times, so your PC was locked out to protect your privacy. See where you can find your recovery password based on following information. Or you can reset your PC.
Recovery Key ID (to identify your key): bleh-bleh-bleh
....
Any one else seen Bitlocker come up with this kind of set up?
Edit:
This is a device joined to our domain. Shouldn't multiple bad password attempts trigger a domain account lockout and not a device lockout? Or am I missing something here?
Edit 2: To clear up some confusion; I have the key and entering in a wrong key with a single digit wrong doesn't unlock the device, still wary to enter in the right one should there be actual malware. It's not a full screen thing, CTRL+ALT+DEL does nothing, nor does escape, expanding it to another monitor is showing black, if it was a full screen thing I think I'd see Windows normally. Could be wrong here lol
Rebooting appears to send me to the legit Bitlocker Recovery. Device POSTs and within seconds send me to BR like a real recovery scenario.
Seems legit, but could be legit for very bad reasons.
Shadow IT may be at hand here, with stricter policies against pwd failures, or malware. Working with our Sec Team now to see if a policy was applied to the device. Will post update soon.
Edit + Update 3: It's legit.
Shadow IT implemented an Intune policy that will trigger Bitlocker if a user had failed to get into a local account after 10 tries,. Following the failed attempts it asks for the Bitlocker pin which, if entered in wrong 8 times causes it to request the recovery key.
From my loving shadow IT "Yes, this is a legitimate Bitlocker recovery attempt. A policy is in place to ensure security of local user and admin accounts. Please proceed with entering the recovery key."
It's a message that reads like a scam but is legit.
I go to Event viewer to see the logs and sure enough, a user tried to access the local admin account 10 times, then logged in as their domain user account... Also locked the local admin account in the process.
I appreciate all of y'all's looking into this. This is a great community and I'm happy to be a part of it!
Due to our company's security policy all our clients are configured with BitLocker using the TPMandPIN KeyProtector with enhanced PINs enabled. The issue I'd like to remedy arises in a subset of our laptops which feature a German or Dutch keyboard layout.
When the users are prompted to enter their PIN on booting, the BitLocker Preboot Auth prompt only accepts a en-US keyboard layout. This leads to users with non-English keyboards frequently mixing up the special characters in their passwords as these are of course located on different keys than those expected.
Does anyone know a way to force the correct locale for the Preboot auth on these devices? Unfortunately I've only managed to find conflicting information online:
* Microsoft's documentation for the older W10 1607 explicitly stated that the en-US keymap is the only one available for preboot auth. Current BitLocker documentation does not state this anymore.
* Several forum threads on a German hardware forum asserted that the preboot auth locale corresponds to the locale of the installation media and that in some cases the corresponding language pack needs to be patched into the WinRE recovery environment.
All the requirements outlined above would be met in the configuration our clients. Normally, no matter what, the en-US keymap is active in the preboot auth screen. BUT in a few freak cases the de-DE keymap was active in the preboot auth screen directly following deployment of the machine. Unfortunately this always reverted to en-US after a Windows Update run. I found some threads online that the alternate layout seemed to be a bug in WinRE - but this would be the desired configuration for my company.
Thanks in advance for any help!