Here's why (I am not a domain admin):
To manage Active Directory-based IPSec policies, you must be a member of the
Domain Admins group in Active Directory, or you must have been delegated the
appropriate authority. -Assign or unassign IPSEC policy in Group Policy
This can be done through a local gpo though. But for deployment on multiple systems we will probably need to script this. I will look at Netsh for this:
Managing IPSec from the command line
Apply these steps to your file server and the host computer(s) that you would like to establish an encrypted SMB session.
Note: You need to test this in a development environment before you deploy it to your production environment.
Open the MMC with ‘IP Security Monitor’ and IP Security Policy Management’ (local computer)