It looks like we're going down the route of decrypting each laptop as they come in to be migrated. Unencrypted desktops can be migrated over the network, but due to the encryption it looks like users will have to bring them in to us to process.
We've got a script to start the decryption and regularly check the status so we know when it's completed as to automate the whole process, so hopefully this will make things a little easier.
At the end of the day they've decided to ditch PGP/Symantec WDE anyway, so a decryption was going to be required regardless. Fun fun...