Best method for enabling bitlocker via GPO/scripting

I'm working on getting bitlocker deployed across an organization and am getting hung up on how I'm expected to actually enable it. We're using on-site AD on Server2012 (will be moving to 2022 this summer but it is what it is for now) and our PCs are all Windows 10. As far as I can tell I should be running a script at logon to enable bitlocker if it isn't already. I have the script, it runs fine on its own, but I cannot get the GPO to work. Here's what I've tried:

• Startup powershell script - won't work as it runs as logged in user
• Scheduled task - this appears to be the way to go, but I simply can't get it to actually run the script. Have tried using a domain-admin account, nt_authority\system, etc. It simply doesn't run - I've tried replacing the action with something that just opens notepad, but even that doesn't run. It seems that the SYSTEM account won't have network share access, so I tried adding a GPO to copy the script to the machine first. Still no luck (and I'd prefer this wasn't the case).

I'm clearly missing something, because I'm sure others have done this successfully. Looking for advice on either how you've done this successfully, what I'm doing wrong with my scheduled task GPO, or whether I'm missing the mark entirely and should be doing something entirely different. Any advice is appreciated.

I once wrote an article about scripted deployment of Bitlocker: https://www.experts-exchange.com/articles/33771/We-have-bitlocker-so-we-need-MBAM-too.html

The essence: I recommend to deploy a scheduled task “at least Windows 7” via GPOs. It would look like this:

• Task name: BL (name it as you want, but please don’t forget to change the name in the last script line)

• Triggers: at logon of any user

• Executing account: system

• Action: powershell.exe with the argument \\server\share\BL.ps1

The task would be set up to “apply once and do not reapply”

That share would need to be read-only for computer accounts, writable only for admins.

The script would create a random PIN for pre-boot authentication and save the PIN to a text file on another share “pins”, which is writable for domain computers, but not readable for them as people (local admins) able to impersonate the system account must not discover other computers’ PINs.

The script \\server\share\BL.ps1 goes

$pin=(Get-Random -Minimum 0 -Maximum 999999).ToString('000000')
echo "$pin" | out-file \\server\pins\$env:computername.txt -Append
$SecureString = ConvertTo-SecureString "$pin" -AsPlainText -Force
Add-BitlockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector
msg * /time:0 Your hard drive is being encrypted. To start your PC, you need your Bitlocker-PIN, which is $pin
manage-bde -on c: -s -used -rp
schtasks /delete /tn BL /f

So what happens at script execution, is that a popup would appear and name the PIN.