11286 is an authorization failure. It is fairly vague, but somewhere in the process it is not seeing the user as valid. Try the following:
1. Create a test profile on SEMS with a test AD group as users.
2. Remove the user in AD from the current group and place them in the test group.
3. See if user is prompted to enroll, and if drive encryption proceeds.
4. Move user back to original AD group.
The user may have some data which remains in the database showing that either they were removed manually or that they were already a member of that group. The above would hopefully prompt the system to change the database information for that user.