This is a very good approach and one that I have generally advocated for a long time - all the way back to the SafeBoot days. The beauty of temporarily using autoboot mode is that it eliminates the possibility of any end user helpdesk calls for password issues or user account issues. So if you do get a helpdesk call while in that state, you can jump directly to the more advanced troubleshooting.
There are lots of other things to consider for deployments...
- Do you want a single deployment process for all scenarios? For example, new systems and already-deployed systems may require different install processes ... so can you compromise and find a way to do them all the same? This depends on your security and process requirements, but most people do like to have a single process.
- How are you going to handle re-imaged systems? Do you have ePO setup to prevent duplicate GUIDs? Will you use the OS Refresh Utility so that the disk can retain its encryption through the re-image process?
- Do you want to speed along the activation process with custom scripts? Out of the box, EEPC will wait for an ASCI and in large organizations that may be set to 4 hours. That means you have to wait 4 hours after the reboot before EEPC event attempts to start encrypting. You can use the command line interface for the McAfee Agent to programmatically trigger ASCIs during the EEPC install process.
What other challenges or considerations has the community faced?