From Microsoft official announcement, for the sake of security, syskey has been removed from Windows 10 version 1709 or Windows 10 server 2016.
But in reality, since this syskey.exe utility was firstly introduced on Windows server 2000, it is likely some of you are still using the boot-time OS security syskey on Windows XP, Windows 7, and 8 if you have not yet upgraded to Windows 10.
While you decide to upgrade or update to Windows 10 V1709 and later, possibly, you failed to do so as the external encryption syskey utility is replaced by its alternative BitLocker. The syskey has been removed from Windows 10 Fall Creators update and the following updates, like 1803 and 1809, so you won’t be prompted to enter the syskey password at Windows 10 startup.
How could it happen to syskey on Windows systems? This post will show you a complete guide of syskey.exe utility, from what it is, why it doesn’t work on Windows 10 Fall Creators Update and upcoming ones to how to remove it. If you are using it now or just show interest in the syskey, go ahead.
What is Syskey?
Also known as SAM Lock Tool, syskey (System Key) is a Windows embedded utility used to encrypt system data, such as user account password hashes. But on the other hand, the syskey.exe tool is able to offer Windows another kind of protection, which means syskey can be externally encrypted to install Active Directory domain controller using IFFM (Install-From-Media).
So what does syskey do in the process? For one thing, syskey moves the SAM (Security Accounts Management) database encryption key away from the Windows system, like Windows XP, Windows 7 and 8, Windows 10 versions prior to Fall Creators Update, thus protecting the SAM database. For another thing, this syskey utility also functions to prohibit you from booting the system and to ask for the password via USB drive in most cases.
Above all are the definition of syskey and the purpose of syskey and external syskey.
Why Does Windows 10 No Longer Support Syskey.exe Utility?
Undoubtedly, you may be wondering now that SAM keys helps on Windows XP, Windows 7 and 8, why Microsoft chooses to remove it from Windows 10 and urges you to use syskey alternatives, such as BitLocker, VeraCrypt.
Of course, SAM Lock tool won’t be left out unless there are some syskey issues showing up.
In detail, some syskey bugs make it less reliable on Windows systems. So Microsoft drops it out on Windows 10 Fall Creators Update and its upcoming ones.
Among syskey issues, the most prominent and unbearable ones are:
1. The syskey.exe utility is developed upon rather a weak cryptography, which is prone to be broken in the future.
2. Not all Windows-based data or files can be encrypted by the syskey tool, therefore it is unable to make sure Windows system is secure.
3. Syskey.exe has often been hacked by ransomware ever since its use.
4. The external encryption from syskey for installing Active Directory domain controller also shows security weakness.
Based on these flaws of syskey.exe utility, Microsoft replaced it with BitLocker, which boasts improved functionality to both secure your data and block virus and threats.
For instance, if you need to make use of boot-time OS security or to use IFM to install Active Directory or to upgrade to Windows 10 Server 2016 RS3, it is wise to use BitLocker drive encryption rather than the outmoded SAM Lock Tool.
How to Remove Syskey from your PC?
For clients whose syske.exe is still in use, to avoid the syskey hack, you would rather do a syskey removal and try to utilize such syskey alternatives as BitLocker, VeraCrypt, DiskCryptor, etc.
Or if you feel like upgrading to or updating to Windows 10 V1709 or later, there is a surge in need to disable syskey.exe utility on Windows 10. Only after that can you update to Windows 10 server 2016 successfully.
1. Type in syskey in the search box and then press Enter to head for Securing the Windows account database.
2. In Securing the Windows account database, hit Update.
You can see above the Encryption is enabled by default.
3. In Startup Key, first tick the circle of System Generated Password and then choose to Store Startup key Locally to save the syskey to local PC’s hard drive.
Here is you want, it is also available to set Password setup. In this way, next time you starts Windows 10, you are required to enter the password.
The instant you click OK, the syskey would also be disabled as no interaction is required during system restart.
4. You will be prompted Account database start-up key was changed in the following window. Hit OK to finish the process.
Considering that BitLocker is officially released by Microsoft, after getting rid of SAM key from Windows XP, Windows 7 or 8 or 10, you might as well let BitLocker to safeguard system files and data. For most of you, as long as you wish to use syskey password to lock Windows 10, it is strongly recommended to try BitLocker.
To conclude, no matter you are to prevent security risks of syskey or to upgrade to Windows 10 version 1709 (Windows 10 server 2016) or later, it is a necessity for you to learn what syskey is and how to remove it from Windows 10.