this is while enrolling or encrypting? - No the user has been enrolled and encrypted since last year. The errors occur during the normal client policy/key sync process.
what`s the email address in the directory user account? - The user's email address is valid when viewing from Consumers - Users. We are not using Verified Directory User Accounts. The user's email address matches our managed domain.
is directory synch properly configured? Yes, it appears to be working just fine
Did you add domain route? - Not that I'm aware of
Thanks