Microsoft will remove support for Syskey.exe utility in Windows 10 RS3 and Windows Server 2016 RS3 this fall. According to the company, the syskey encryption key and the use of syskey.exe are no longer considered secure. Syskey is based on weak cryptography that can easily be broken in modern times.
The data that is protected by syskey is very limited and does not cover all files or data on the OS volume. The syskey.exe utility has also been known to be used by hackers as part of ransomware scams.
Changes in Windows 10 Fall Creators Update and Windows Server 2016 RS3:
- The syskey.exe utility is no longer included in Windows.
- Windows will never prompt for a syskey password during startup.
- Windows will no longer support installing an Active Directory domain controller by using Install-From-Media (IFM) that was externally encrypted by the syskey.exe utility.
The company has confirmed that if an operating system was externally encrypted by the syskey.exe utility, users will be unable to upgrade that OS to Windows 10 Fall Creators Update or Windows Server 2016 RS3.
The syskey.exe utility was first introduced in Windows 2000. The tool is a Windows internal root encryption key that is used to encrypt other sensitive OS state data, such as user account password hashes. The SysKey utility can be used to add an additional layer of protection, by encrypting the syskey to use an external password.
The company suggests using Bitlocker or similar technologies instead of the syskey.exe utility.