Microsoft is dropping support for Syskey.exe utility in the upcoming major feature update aka Windows 10 RS3 and Windows Server 2016 RS3. In case you are not aware, the Syskey utility enables adminstrators to add an extra layer of protection when encrypting sensitive OS state data, such as user account password hashes. The SysKey utility encrypts the syskey or Windows internal root encryption key to use an external password.
Introduced first in Windows 2000 and backported to Windows NT 4.0, the syskey encryption key and the use of syskey.exe are no longer considered secure because of the weak cryptography that can easily be broken by hackers in modern times.
The syskey.exe utility has also been known to be used by hackers as part of ransomware scams.
Changes
In Windows 10 RS3 and Windows Server 2016 RS3, the following changes are made:
- The syskey.exe utility is no longer included in Windows.
- Windows will never prompt for a syskey password during startup.
- Windows will no longer support installing an Active Directory domain controller by using Install-From-Media (IFM) that was externally encrypted by the syskey.exe utility.
If an operating system (OS) was externally encrypted by the syskey.exe utility, you will be unable to upgrade that OS to Windows 10 RS3 or Windows Server 2016 RS3.
Workaround
- Microsoft recommends to use Bitlocker or similar technologies instead of the syskey.exe utility.
- For IT administrators who use Active Directory IFM media to install replica Active Directory domain controllers, we recommend that you use Bitlocker or other file encryption utilities to protect all IFM media.
- To upgrade an OS that is externally encrypted by the syskey.exe utility to Windows 10 RS3 or Windows Server 2016 RS3, the OS should be configured not to use an external syskey password. For more information, see step 5 in How to use the SysKey utility to secure the Windows Security Accounts Manager database.