If all your laptops are identical, then you can use EPO to deploy the agent to them. If you have different models of laptops then you may have 2 or 3 different Endpoint Encryption sets. If you pick the wrong settings to push out to a laptop they will blue screen and it will take an hour or two to get them back to normal.
There are two settings in particular that can be off or on. Some laptops require a setting to have one on and one off, both on, both off or one off and one on. If you sent out the On On package to a machine that need to be On Off, then the machine will blue screen. There is no documentation for what models of laptops require what settings. It has to be determined via trial and error. Guessing wrong is a 2 hour mistake.
I would say that there is no way to automatically deploy EE to an enterprise unless you have only one model of laptop. Once a machine has Endpoint encryption enabled it will report data back to EPO including what version of EE is installed and whether the drives are encrypted or not. The version reported to EPO, in our org is wrong about 25% of the time compared to what is actually installed.
We are also looking at a possible move to EE and I happened to see this thread while searching for a different issue.
What settings are you referring to that have to be "Off" and "On?" I am just beginning my testing today and would like to make sure that I have that issue thoroughly documented.
My problem, if anyone can point me to a thread with the solution, is that I created a task in ePo to "install immediately" but it's not working. Per the agent, the client package is pushed successfully but it doesn't launch the actual encrption process.
The two settings that we have had to adjust are "Update number of sides reported..." and "Update MBR for Endpoint Encryption..."
Some devices need one on, some the other on, and some both off. I haven;t run into one yet that needs both on, and since the update to 5.1.9 and higher, I found most laptops can have "Update Number of Sides" while others (esp Lenovo and HP Tablet) need "Update MBR..."
If I deploy to a Lenovo without "Update MBR..." it will bluescreen. If I deploy to a Dell WITH "Update MBR..." it will bluescreen.
Some laptops will work with or without Update number of sides, while others require it.
I have two deployments right now. Since 5.1.9, I haven't had a problem deploying "Update number of sides..." to models that previously blue screened when deployed that way, but you might.
I just build a safe list of the machines where we have deployed EE and which set of files to use on that model. Our SOP for models not listed is to take a full snapshot of the drive prior to enabling EE. It is faster to format the drive and bring the image back than it is to undo Endpoint Encryption disasters. Once successful, we add the model to the "safe" list.