Well the way that rolls out here where i work is via SCCM
Machine boots and is picked up that re-images
Connects with the SCCM and starts to clean install Windows Image as part of which joins the domain
Then it installs the Deployment Agent so already domain joined when deployed the agent.
After imaging the the DA communicates with the Endpoint Server and pulls down appropriate blades and policies using the deployment policies.
Other places I knew included the FDE Blade in the SCCM installation package
You really need to have the FDE policy in place before putting the Blades on machines, things like password sync if synching your pre-boot and windows login etc.
Not everyone does this as they specifically require seperate logins
I believe that this also makes a difference in terms of machine id and the recovery file that should be used to decrypt the box if neccessary.