Yeah, that sounds more consistent with how I thought SCCM operated.
As you're using PGP already, have you considered going down the Altiris route (another Symantec Product)? Because it uses PXE, it's not subsceptible to the issue of writing a WinPE partition to an encrypted drive. Not to mention that using PXE means you can perform a bare-metal restore of a machine if need be.
Plus, the Altiris Client Management Suite includes something called PCTransplant, which pretty much does what the USMT file does.