Essentially, Bootguard uses the locally stored creds of users in Windows for authentication purposes, which means each of them must have logged into each of the 1000 machines before Bootguard is even able to see them. Bootguard is not capable of connecting to a network, so it cannot perform a lookup against a DC and check user membership to a group before allowing the members of such a group to login.
You'd be better off using the "Encrypt Drive Encryption disks to a Disk Administrator Passphrase" option in the Drive Encryption policy, and changing this every so often