You're missing out a lot of cool PGP US features:
- Use Active Directory synchronization with auto-enrollement. This way, you can sort users by, say, AD user groups into PGP groups/policies.
- Use the Customized PGP Desktop setup from your PGP US to automatically connect your users to your server
- Use Consumer Policies to create the user's keys (I'd suggest GKM, but that ofc depends) and set your desired and enforced PGP Desktop settings
Our environment looks like this:
We install the customized setup on a computer. The user logs on and is immediatly prompted by the autoenrollement windows of PGP Desktop. There he must provide his windows password and... that's that, no more user interaction.
In the background, the PGP US creates key pairs according to consumer policy, for example 2048bit RSA in GKM and never expire. PGP Desktop then downloads the consumer policy and enforces it, that would include WDE options like automatically encrypt boot drive, prevent from decrypting, add WDE administrator passphrase. This way, the boot drive is encrypted according to your settings and the next time the user boots his machine he's greeted by your custom BootGuard skin ;-)
You might want to think about having the users set up the security questions, althoug that's somewhat... American and most of our users find it, for some reason, a huge pain in the uknowwhat.