Neil - I had the same issue last week when I setup 5 Network Prevent's on a new 2016 server build. Though I don't use the default certificates and had copied our own keystore (Mon_MMM_DD_HH:MM_SS....sslkeystore) file into ProgramData it was still not listening on 8100 after restart. Install log showed success and only log message was unable to init transport layer.
I could find no other solution other than a KB about the custom certificate not being copied which I had already done.
The end fix was it also needed to have the IP\HostName commented out in the Communication.properties file, even if it was the correct addess.
Once I did that and restarted the DLP service it was listening on 8100 and Enforce connected\registered the Detection server.