This can also be broken (and mitigated by) this:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/dpapi-masterkey-backup-failures

When the issue described in that article exists, then the PowerShell call to [System.Security.Cryptography.ProtectedData]::Protect will fail.

Applying the registry change in the article enables that call to succeed again.