I am trying to understand how devices running newer versions of windows 10 are configured by default.
There is no requirement for how devices are configured by default and it will depend on the make, model, and configured features of the device.
With devices that shipped with Windows 7 it was very typical for the TPM to be disabled in the BIOS and need to be initialized in Windows before Bitlocker could be enabled.
With devices that ship with Windows 10 it is very typical for the TPM to be enabled and initialized and for there to be no other steps required to enable Bitlocker.
Explain to me then what the Resume, Refresh, and Suspend encryption is doing?
When you enable Bitlocker a decryption key is generated and stored on the hard drive in a way that only the TPM or the recovery password can decrypt.
When you pause Bitlocker, that key is then stored on the drive in an unencrypted fashion. This means that the data on the drive is still encrypted but the key to decrypt the data is available without needing the TPM or the recovery password. New data written to the disk is still encrypted.
When you resume Bitlocker, that key is then re-encrypted and then requires the TPM or the recovery password to decrypt.
Invoke - Bitlocker Encrypt System Volume - Windows Fixlet starts bitlocker encryption for the drive.
Invoke - Bitlocker Suspend System Drive Encryption - Windows Fixlet suspends/pauses bitlocker encryption
Invoke - Bitlocker Resume System Drive Encryption 0 Windows Fixlet resumes bitlocker encryption.
Yes I have that fixlet and yes that device is showing relevant for it.
Protection is off for the device and so resuming encryption is required. The fixlets provided aren’t meant to cover every possible Bitlocker edge-case. I would recommend resuming encryption on that device and then checking the status on it to make sure Bitlocker was configured how you want it to be configured.