Mostly posting this to see if anyone has any ideas/suggestions that I have not thought of or may not know of.

Context: I am a solo sys admin with about 175 users, all running Windows 10 Lenovo based thinkpad machines(T,X,P series) about half are older(2-4 years old) and half newly purchased within 1-2 years. We are normally in offices, but are remote due to covid. Recently the company has started venturing towards a SOC II security compliance. A part of working towards this compliance is getting employee machines encrypted. (In our case via BitLocker)

The debacle: Since we are all remote I had created a powershell script to run via our RMM (that has the ability to remote execute Powershell.) The script is for initializing BitLocker, exporting the keys, all that good stuff. I am running into issues and finding out about half of the machines are using a tpm 2.0 chips, but have MBR boot partitions. This brings a problem as tpm 2.0 only works with GPT boot partitions. So I am not able to encrypt about half the machines via BitLocker.

Methods I have thought to try: -Using MBR2GPT to manually convert each end users machine to GPT. -Downgrade 2.0 tpms via BIOS to 1.2 so the MBR partition will work for BitLocker. Done manually.( This seems to only apply to specific models of Lenovo PCs) -looked into Lenovo's WMI capabilities so see if downgrading tpms can be done via WMI.

So my question comes in: Is there any other obvious method I am over looking? What would other sysadmins recommend? (I am trying to figure out the option to make it as easy as possible for the end users).

Any info or recommendations are greatly appreciated :)

Edit: I am trying to figure out how to solve the issue for all the PCs with Tpm 2.0 and a MBR partition.(As tpm 2.0 only works with UEFI aka GPT partition)