Initially I'd say stick with the MS stack, if that's what your clients uses as a standard. There are, typically, a lot of advantages to doing so (network access protection, VPN-less network logings, dcentral mgmt, etc). However, the local-administrator issues is a big one: http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/98c971b5-a2b8-477d-88bd-75dabdaebab3
However, there seems to be a work around here: http://blogs.technet.com/b/bitlocker/archive/2010/09/14/how-to-prevent-local-administrator-from-turning-off-bitlocker.aspx
Hope that helps.
