Published: May 29, 2007

Deploying data encryption across an organization requires a great deal of deliberation and prior planning. The Data Encryption Toolkit for Mobile PCs Planning and Implementation Guide describes the planning and implementation processes you should follow to use Microsoft® BitLocker™ Drive Encryption (BitLocker) and the Encrypting File System (EFS) as part of your strategy for protecting data on mobile PCs.

A Quick Overview of BitLocker

BitLocker is an important new security feature in the Windows Vista™ operating system that provides significant data and operating system protection for your computer. BitLocker is a full-volume encryption technology that can help ensure that data is not revealed if someone tampers with the computer when the installed operating system is offline. It is most effective on computers that have a compatible Trusted Platform Module (TPM) microchip and BIOS, because it uses them to provide enhanced data protection and to ensure early boot component integrity. BitLocker can optionally use an external USB key as a token to hold the startup key.

A Quick Overview of EFS

EFS enables transparent encryption and decryption of files by using advanced standards–based cryptographic algorithms. Any individual or program that does not possess the appropriate cryptographic key cannot decrypt the encrypted data, even if they gain physical possession of the computer on which the files reside. Even people who are authorized to access the computer and its file system cannot view the data.

EFS combines two types of encryption: a symmetric cipher is used to protect the data in the file, and an asymmetric cipher is used to protect the key used in the symmetric cipher.

The Distributed Systems Guide of the Windows 2000 Server Resource Kit includes a comprehensive overview of EFS and a collection of information about EFS in Microsoft Windows® 2000. To locate this information online, use the Windows 2000 Server Resource Kit table of contents to browse to the Distributed Systems Guide, expand Distributed Security and then click Encrypting File System.

There are differences between EFS in Windows 2000, Windows XP Professional, Windows Server® 2003, and Windows Vista. The Windows XP Professional Resource Kit explains the differences between implementations of EFS in Windows 2000 and Windows XP Professional, and the "Encrypting File System in Windows XP and Windows Server 2003" article describes modifications in Windows XP and Windows Server 2003. Differences between EFS in Windows XP Professional and Windows Vista are described in Chapter 2: Configuration and Deployment Tasks in this guide.

Chapter Summaries

The Planning and Implementation Guide chapters discuss the following topics:

  • Chapter 1: Planning Considerations. This chapter describes the planning considerations associated with deployment of Windows Vista BitLocker and both types of EFS, including planning steps that you should take to assess your environment, decide which resources need to be protected, and what security methods are most appropriate.
  • Chapter 2: Configuration and Deployment Tasks. This chapter describes specific configuration tasks that you might need to perform as part of your deployment. These tasks include choosing a BitLocker configuration, configuring disk encryption, and setting up Active Directory® directory service Group Policy objects to control and manage how your organization uses EFS. The configuration tasks described in this chapter are generally preparatory tasks that you perform once to prepare your environment for deployment of BitLocker and EFS. In addition, this chapter describes deployment tasks that you perform on each computer to enable the use of BitLocker and EFS in your environment. For example, you might need to update the BIOS on some of your computers to enable them to work with BitLocker.
  • Chapter 3: Operations and Recovery Scenarios. This chapter addresses ongoing operation of your BitLocker and EFS–protected computers. For example, it discusses ways to address your organization’s need to recover encrypted data if key material or certificates are lost or compromised.

Who Should Read this Guide

This guide is intended for IT professionals who are responsible for designing, planning for, and implementing computer networks that that include dozens to thousands of client computers, especially laptop and Tablet PC computers. You should read this guide if your responsibilities include:

  • Implementing server or client security policy.
  • Designing and implementing security or systems management architectures.
  • Evaluating security technology.
  • Integrating security policy with other computer management policies or technologies.

Style Conventions

Element Meaning

Bold font

Signifies characters typed exactly as shown, including commands, switches, and file names. User interface elements also appear in bold.

Italic font

Titles of books and other substantial publications appear in italics.


Placeholders set in italics and within angle brackets – <file name> – represent variables.

Monospace font

Depicts code and script samples.


Alerts the reader to supplementary information.


Alerts the reader to essential supplementary information.

Support and Feedback

The Solution Accelerators – Security and Compliance (SA-SC) team would appreciate your thoughts about this and other Solution Accelerators. Please contribute comments and feedback to secwish@microsoft.com. We look forward to hearing from you.

Solution Accelerators provide prescriptive guidance and automation for cross-product integration. They present proven tools and content so you can plan, build, deploy, and operate information technology with confidence. To view the extensive range of Solution Accelerators and for additional information, visit the Solution Accelerators page on Microsoft TechNet.


The SA-SC team would like to acknowledge and thank the group of people who produced the Data Encryption Toolkit for Mobile PCs Planning and Implementation Guide. The following individuals were either directly responsible or made a substantial contribution to the writing, development, and testing of this guide.

Development Leads

Mike Smith-Lonergan - Microsoft

David Mowers - Securitay, Inc.

Program Manager

Bill Canning - Microsoft

Content Developers

Roger A. Grimes - Microsoft

Paul Robichaux - 3Sharp, LLC


Steve Wacker - Wadeware LLC


Randy Armknecht - Calamos Investments

Vijay Bharadwaj - Microsoft

Marcus Bluestein - Kraft Kennedy & Lesser, Inc.

Dean Chen - Waggener Edstrom Worldwide

Tom Daemen - Microsoft

Mike Danseglio - Microsoft

Erik Holt - Microsoft

Russell Humphries - Microsoft

David Kennedy - Microsoft

Luca Lorenzini

Douglas MacIver - Microsoft

Sanjay Pandit - Microsoft

Greg Petersen - Avanade

Matt Setzer - Microsoft

Stan Shkolnik - Deloitte Touche Tohmatsu

Michael Trotman - United States Postal Service (USPS)

Richard Trusson - Microsoft

Mike Wolfe - Microsoft

Product Managers

Alain Meeus - Microsoft

Jim Stuart - Microsoft

Release Manager

Karina Larson - Microsoft


Gaurav Singh Bora - Microsoft

Sumit Ajitkumar Parikh - Infosys Technologies Ltd.

Swaminathan Viswanathan - Infosys Technologies Ltd.

Swapna Rangachari Jagannathan - Infosys Technologies Ltd.

Neethu Thomas - Infosys Technologies Ltd.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.


Get the Data Encryption Toolkit for Mobile PCs

Update Notifications

Sign up to learn about updates and new releases


Send us your comments or suggestions