One machine unable to enable Bitlocker - Your Active Directory Domain Services schema isn't configured to run BitLocker Drive Encryption

I currently have a BitLocker configuration set up in Intune that automatically silently configures all devices to enable BitLocker for all drives. Until now, this configuration has worked fine - Bitlocker enables, the recovery key is saved in Intune/AzureAD and the device shows up as compliant. On one device (Dell Optiplex), it is unable to enable BitLocker. This is reported in the event log Failed to enable Silent Encryption. Error: The parameter is incorrect.. Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD. TraceId: {x-x-x-x-x} Error: The parameter is incorrect. Failed to backup BitLocker Drive Encryption recovery information to Active Directory Domain Services. Protector GUID: {5b707a66-68ea-4525-9dca-8d61923d960f} Identification GUID: {23219776-f36e-4795-9fa8-5c1a8f8acd14} So this is odd because we don't use Active Directory Domain Services. We don't even have a local active directory. The OS has been reinstalled a few different times following a secure erase of the SSD. BIOS settings have TPM enabled and secure boot on. BIOS was updated as recently as last month. Pretty standard similar to our other machines. I have various other hardware that experiences no issue (XPS, NUCs, Alienwares, Asus, Surface). When trying to use manage-bde to enable it on the command line, I get a slightly different error: The Active Directory Domain Services forest does not contain the required attributes and classes to host BitLocker Drive Encryption or Trusted Platform Module information. Contact your domain administrator to verify that any required BitLocker Active Directory schema extensions have been installed. Nope, I'm still not using ADDS, but I'm getting that error. Anyone have any ideas why this error would appear in an AzureAD only environment?