In your case, you should check if the BitLocker Group Policy settings are applied to those two faulty computers. It's highly likely the GPO configurations are partially wrong or not applied to them at all. You can then fix the GPO settings not applying issue and that should solve your issue.
Most of the Group Policy settings work well when BitLocker is initially enabled on a drive. However, if the computer doesn't comply with current Group Policy settings, BitLocker can be disabled or turned off. The scenarios can include what you've mentioned in the post, such as being unable to back up the BitLocker recovery key in AD, and consequently not encrypting the computer.
To view your GPO settings with the gpresult command, you can follow the steps below for a more detailed guide.
Step 1. Click on the Windows Start button and type in command prompt.
Step 2. Select the command prompt program and right-click on it. Choose Run as administrator.
Step 3. Type in the following command to view your Group Policy Settings.
gpresult/r
Step 4. You can see from the results whether the BitLocker GPO is applied. If it does, you should double-check by running the command below.
gpresult/h
If you find none of the settings in GPO are there on the bad computers, there are some possible fixes you can try to solve the GPO settings not applying issue besides using the gpupdate /force command.
- Disable User or Computer Settings in Group Policy Object.
- Block Inheritance and Enforcement in Group Policy Link.
- Use the Group Policy Modelling Wizard.
- Enable Group Policy Preferences Debug Logging.
If nothing works after trying out all methods mentioned above, you can only manually save and back up the BitLocker recovery key in a safe location.
