Windows 11 Device Encryption Suspended and Does Not Resume After Restart
On Windows 11 Pro devices, Device Encryption may display 'Device encryption is temporarily suspended. Encryption will resume automatically the next time you restart this device,' yet remains suspended across multiple restarts. The condition is typically caused by TPM initialisation issues, Secure Boot being disabled, pending Windows Updates, or policy conflicts blocking BitLocker resumption. Resolution involves manually resuming via manage-bde, validating TPM and Secure Boot state, applying outstanding updates, and if necessary decrypting and re-enabling Device Encryption through Windows Settings.
Indicators
- Settings shows: 'Device encryption is temporarily suspended. Encryption will resume automatically the next time you restart this device'
- Device encryption status remains suspended after one or more restarts
- manage-bde -status C: reports Protection Status: Protection Off with encryption percentage stalled
- Device Encryption enabled in Settings but shows no forward progress
Likely causes
- BitLocker or Device Encryption paused automatically by a system update or configuration change
- TPM (Trusted Platform Module) not properly initialised or reporting errors
- Secure Boot disabled in BIOS/UEFI, preventing encryption from resuming
- Pending Windows Update blocking encryption resumption
- Group Policy or Intune policy conflict interfering with BitLocker
- BIOS/UEFI firmware settings incompatible with Device Encryption requirements
Diagnostic steps
-
Open an elevated Command Prompt and run 'manage-bde -status C:' to confirm the drive's current encryption percentage, protection state (On/Off), and suspension status.
-
Run 'manage-bde -protectors -get C:' to verify that required key protectors (TPM, Recovery Key, etc.) are present and correctly configured.
-
Open 'tpm.msc' (TPM Management Console) and confirm the TPM is ready, initialised, and reporting no errors. Note the TPM version — Device Encryption requires TPM 2.0.
-
Run 'msinfo32', navigate to System Summary, and check the 'Secure Boot State' field. If it reads 'Off' or 'Unsupported', Secure Boot must be re-enabled in BIOS/UEFI before encryption can resume.
-
Attempt to manually resume encryption from an elevated Command Prompt: 'manage-bde -resume C:'. Note any error codes returned.
-
Check Windows Event Viewer under Applications and Services Logs > Microsoft > Windows > BitLocker-API > Management for specific error codes or warnings explaining the suspension.
-
In PowerShell, run 'Get-BitLockerVolume -MountPoint C:' to cross-check volume status, key protectors, and encryption percentage from the BitLocker WMI provider.
-
Install all pending Windows Updates via Settings > Windows Update and restart the device. After restart, re-run 'manage-bde -status C:' to verify if encryption has resumed.
-
If encryption is still suspended after all above steps, disable encryption entirely: 'manage-bde -off C:'. Wait for full decryption to complete (verify with manage-bde -status), then re-enable Device Encryption via Settings > Privacy & Security > Device Encryption.
Resolution path
- Open an elevated Command Prompt and run 'manage-bde -status C:' to confirm the drive is suspended and note the current encryption percentage.
- Run 'manage-bde -resume C:' to attempt manual resumption; if successful, confirm protection status returns to 'Protection On'.
- If resumption fails, open 'tpm.msc' and verify the TPM is ready and initialised with no errors.
- Run 'msinfo32' and confirm Secure Boot State is 'On'; if not, reboot into BIOS/UEFI and enable Secure Boot, then retry 'manage-bde -resume C:'.
- Check Event Viewer under BitLocker-API > Management for error codes and address any specific failures identified.
- Install all outstanding Windows Updates and restart; after reboot re-run 'manage-bde -status C:' to verify encryption resumed.
- If encryption remains suspended, run 'manage-bde -off C:' and wait for full decryption, then re-enable Device Encryption through Windows Settings.
- Confirm final state with 'manage-bde -status C:' — Protection Status should read 'Protection On' and percentage should be 100%.
Prevention
- Ensure TPM 2.0 is properly initialised before enabling Device Encryption on any Windows 11 device.
- Keep Secure Boot enabled in BIOS/UEFI settings; document UEFI configuration as part of device build standards.
- Apply Windows Updates regularly and promptly to minimise update-related automatic BitLocker suspensions.
- Avoid manually suspending BitLocker unless operationally required; resume immediately after the maintenance task is complete.
- Monitor BitLocker compliance status across the fleet using Intune Device Compliance policies with a BitLocker requirement rule.
- Back up BitLocker recovery keys to Azure AD (Entra ID) or on-premises Active Directory as part of the device enrolment workflow.
- Periodically audit encryption status using 'Get-BitLockerVolume' via PowerShell or Intune Encryption Report.
Tools
- manage-bde (BitLocker Drive Encryption command-line tool)
- tpm.msc (TPM Management Console)
- msinfo32 (System Information)
- Windows Event Viewer — BitLocker-API/Management log
- Windows PowerShell — Get-BitLockerVolume cmdlet
- Settings > Privacy & Security > Device Encryption