P3 · Endpoint & Device Management

Windows 11 Device Encryption Stuck in 'Temporarily Suspended' State After Restart

On Windows 11 Pro, Device Encryption may stall in a persistent 'temporarily suspended' state despite multiple restarts, indicating the underlying BitLocker protection has not auto-resumed as expected. The issue is typically resolved by manually invoking 'manage-bde -resume C:' from an elevated Command Prompt, followed by TPM validation and pending Windows Update installation if the problem persists. As a last resort, decrypting and re-enabling Device Encryption through Windows Settings will restore a clean encryption state.

Indicators

Settings displays: 'Device encryption is temporarily suspended. Encryption will resume automatically the next time you restart this device'
Encryption status remains suspended after one or more full system restarts
Device Encryption is shown as enabled in Settings but the system drive is not fully encrypted
manage-bde -status C: reports Protection Status as 'Protection Off' or conversion status as 'Suspended'

Likely causes

BitLocker protection was suspended (e.g., for a firmware/update operation) and failed to auto-resume after restart
Pending Windows Update or in-progress system configuration change blocking encryption resumption
TPM not properly sealing new keys after restart, preventing BitLocker from re-engaging protection
Group Policy or registry setting explicitly preventing automatic BitLocker resume
Encryption process interrupted by power loss, forced shutdown, or hibernate during initial encryption
Conflict with a third-party security, antivirus, or disk management application interfering with BitLocker

Diagnostic steps

Open an elevated Command Prompt (Run as Administrator) and run: `manage-bde -status C:` to confirm the BitLocker/Device Encryption state of the system drive, noting 'Protection Status' and 'Conversion Status'.
If Protection Status shows 'Protection Off' or Conversion Status shows 'Suspended', run: `manage-bde -resume C:` to manually force encryption to resume.
Re-run `manage-bde -status C:` and confirm Protection Status has changed to 'Protection On' and Conversion Status is progressing or shows 'Fully Encrypted'.
If the resume command fails or the status reverts after restart, open `tpm.msc` (TPM Management Console) and verify the TPM is enabled, active, and shows status 'Ready'. If not ready, initialize or clear the TPM via BIOS/UEFI firmware settings, then restart.
Navigate to Settings > Windows Update and install all pending updates. Restart the system and re-run `manage-bde -status C:` followed by `manage-bde -resume C:` if still suspended.
Open Event Viewer and review Applications and Services Logs > Microsoft > Windows > BitLocker-API > Management for errors logged around the time encryption was suspended, to identify any specific blocking cause.
If all above steps fail to resolve the issue, disable encryption entirely by running `manage-bde -off C:` and waiting for full decryption to complete (verify with `manage-bde -status C:`), then re-enable Device Encryption via Settings > Privacy & Security > Device Encryption.

Resolution path

Open an elevated Command Prompt and run `manage-bde -status C:` to confirm the suspended state
Run `manage-bde -resume C:` to manually force BitLocker encryption to resume on the system drive
Verify resolution with a second `manage-bde -status C:` check — confirm Protection Status is 'Protection On'
If still suspended, check TPM readiness via tpm.msc and re-initialize through BIOS/UEFI if required, then restart
Install all pending Windows Updates via Settings > Windows Update, restart, and re-attempt `manage-bde -resume C:`
Review BitLocker-API Event Viewer logs to identify any application or policy-level conflict blocking resumption
As a last resort, run `manage-bde -off C:` to fully decrypt the drive, then re-enable Device Encryption through Windows Settings

Prevention

Ensure the system is fully patched and all Windows Updates are installed before enabling Device Encryption
Verify TPM 2.0 is enabled, active, and healthy in BIOS/UEFI firmware prior to initiating encryption
Avoid forced shutdowns, power interruptions, or hibernate cycles during the initial encryption process
Do not manually suspend BitLocker (e.g., via manage-bde -protectors -disable) unless strictly required; always resume before the next restart
After enabling Device Encryption, monitor status with `manage-bde -status C:` until 'Fully Encrypted' and 'Protection On' are confirmed
Audit Group Policy and third-party security software for settings that could interfere with BitLocker auto-resume behaviour

Tools

manage-bde (BitLocker Drive Encryption command-line tool — elevated CMD)
tpm.msc (TPM Management Console)
Windows Settings > Privacy & Security > Device Encryption
Event Viewer > Microsoft > Windows > BitLocker-API > Management
Windows PowerShell (elevated)
Command Prompt (elevated)

References

FIX: Device encryption is temporarily suspended and does not resume after the computer restarts (Windows 11) — wintips.org

Windows 11Windows 11 ProDevice EncryptionBitLockerEncryption SuspendedTPMTPM 2.0manage-bdeDrive EncryptionEndpoint SecurityBitLocker Resume