Another point that has popped into my mind about this - If you go into the BIOS and go to the security section, then SecureBoot, you may have an option called "Allow Microsoft 3rd party UEFI CA", this option needs to be enabled for our bootloader to function. This is a relatively new thing on certain devices, our bootloader is still signed by Microsoft though. The system may just boot after enabling this if it's disabled.
I managed to find the find the laptop with an issue by clicking on the tab "Computer with missing recovery". initialy i was clicking on the new policy thinking the system will automatically assign the computers with issues.
Pabalelo gave kudos to AAndrejko in Can't boot anymore after Activating Full Disk encryption
Pabalelo received kudos from Kstainton in Computers with missing recovery data and Password
