Packaging/Deploying DUO install with encrypted IKEY AND SKEY information

We have PDQ Deploy and I was thinking of using it to install DUO MFA, but I want to encrypt the keys in the process. I have been trying to make with work via powershell but have not been successful. Is the other option to install without the keys and use a GPO to complete the configuration?

The product needs the keys unencrypted in the reg to function.

You can do as you suggested (deploy w/o keys and set via GPO). If you do this, make sure to protect the secret key info by limiting view of the policy from unprivileged users, restricting registry access to the secret key location, etc.