Hi,
Firstly you will need to make sure your devices are able to be encrypted, this requires them having a TPM (Trusted Platform Module) and it being activated. You could send out a powershell script with Get-tpm and this will return whether or not the tpm is ready and the device can be encrypted.
Both options work but i would suggest group policy as your main way to deploy this as it would be alot more reliable. If your in group policy, you need to browse to Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption. Once your there it will give you three different sub folders of OS drives, removable drives and fixed data drives, its entirely upto you which settings you want enforced but within there you can choose which drives you can encrypt and you can also choose to backup the recovery key to your activ directory for when it is needed. Hope this helps!