The product needs the keys unencrypted in the reg to function.
You can do as you suggested (deploy w/o keys and set via GPO). If you do this, make sure to protect the secret key info by limiting view of the policy from unprivileged users, restricting registry access to the secret key location, etc.