I’ve created a script as workaround, but I don’t see it as a permanent solution. Running the script is a one-time-shot, so for example what will happen when a key rotation is triggered? Also the policy states that Bitlocker is enabled only if the key is saved in Azure AD and that’s not the case: the drive is encrypted, but the key isn’t saved in Azure AD.
We have 3 devices, enrolled at the same time with the same user: 1 device has the recovery key in Azure AD, 2 others don't. In the Bitlocker event log of those 2 devices there is an event where the recovery key is saved in AD, but not Azure AD.
As we enabled: "Require device to back up recovery information to Azure AD", in my opinion those 2 devices shouldn't be encrypted because the key isn't saved in Azure AD.