Bitlocker configured through Drive Encryption in Intune and Errors out. Not sure where it is going w

We have setup Bitlocker through Intune Disk Encryption. I get the following error on the device. Dell Optiplex 7000

Under the Event Viewer - Microsoft\Windows\Bitlocker-API\Management

Error

Failed to enable Silent Encryption

Error: Group Policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info. contact your system administrator.

Event ID: 851

I ran few commands based on the article below and I saw WARNING messages

Powershell command, I ran

Confirm-SeucreBootUEFI

Returned True

Warning: In Event Viewer Microsoft\Windows\Bitlocker-API\Management

Bitlocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not read.

Error Messages: A required privilege is not held by the client

When I checked the BIOS settings everything looks good

BIOS Mode: UEFI

Secure Boot State: On

In the output, locate the Windows Boot Loader section that includes the line identifier={current}. In that section, locate the recoverysequence attribute. The value of this attribute should be a GUID value, not a string of zeros.

The event information will be similar to the following error message:

Failed to enable Silent Encryption.

Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.

The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption doesn't support legacy BIOS.

To verify the BIOS mode, use the System Information application by following these steps:

1. Select Start, and enter msinfo32 in the Search box.

2. Verify that the BIOS Mode setting is UEFI and not Legacy.

    

    

3. If the BIOS Mode setting is Legacy, the UEFI firmware needs to be switched to UEFI or EFI mode. The steps for switching to UEFI or EFI mode are specific to the device.

    Note

   If the device supports only Legacy mode, Intune can't be used to manage BitLocker Device Encryption on the device.

An error message similar to the following error message is displayed:

Error: BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.

A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.

This issue can be resolved by verifying the PCR validation profile of the TPM and the secure boot state by following these steps:

To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:

Manage-bde.exe -protectors -get %systemdrive%

In the TPM section of the output of this command, verify whether the PCR Validation Profile setting includes 7, as follows:

If PCR Validation Profile doesn't include 7 (for example, the values include 0, 2, 4, and 11, but not 7), then secure boot isn't turned on.

To verify the secure boot state, use the System Information application by following these steps:

1. Select Start, and enter msinfo32 in the Search box.

2. Verify that the Secure Boot State setting is On, as follows:

    

    

3. If the Secure Boot State setting is Unsupported, Silent BitLocker Encryption can't be used on the device.

    

    

Confirm-SecureBootUEFI