Hi, there
To be able to achive this make sure while setting up the policy on SEMS ( SEMS > Consumers > Consumer Policy > Default > Desktop button > Drive Encryption tab ) that are as follow:
a) Operation - Allow User Management - Internal Disk - Untick
b) Operation - Allow Encryption - tick
c) Operation - Allow Decryption - Untick
d) Operation - Removable Disks - All Untick
Use "Allow encryption of disk to existing Windows Single Sign-On password" with option tick "Automatically encrypt Boot disk at Installation"
I would also enable "Whole Disk Recovery Tokens" and "Encrypt Drive Encryption disk to a Disk Administrator Passphrase" just to have a controll and recovery
As you want to Setup a Silent enrollment make sure that you are familiar and follow the following KB:
HOW TO: Enable Silent Enrollment for Symantec Encryption Desktop
http://www.symantec.com/docs/TECH149857
and if you want to go step further for the Invisible Silent Enrollment follow the one below:
HOWTO: Configure Invisible Silent Enrollment for Symantec Encryption Desktop Clients
http://www.symantec.com/docs/HOWTO77014
HTH