manage-bde -protectors -add Volume {-RecoveryPassword|-rp} NumericalPassword {-RecoveryKey|-rk} PathToExternalKeyDirectory ...

manage-bde -protectors -add Volume
                [{-RecoveryPassword|-rp} [NumericalPassword]]
                [{-RecoveryKey|-rk} PathToExternalKeyDirectory]
                [{-StartupKey|-sk} PathToExternalKeyDirectory]
                [{-Certificate|-cert} {-cf PathToCertificateFile|
                                       -ct CertificateThumbprint}]
                [-TPM]
                [{-TPMAndPIN|-tp}]
                [{-TPMAndStartupKey|-tsk} PathToExternalKeyDirectory]
                [{-TPMAndPINAndStartupKey|-tpsk} -tsk
                    PathToExternalKeyDirectory]
                [{-Password|-pw}]
                [{-ADAccountOrGroup|-sid} {SID|domain\user|domain\group}
                    [-service]}]
                [{-ComputerName|-cn} ComputerName]
                [{-?|/?}] [{-Help|-h}]

Description:
    Adds key protection methods. Use 'manage-bde -on' to encrypt once key
    protectors have been added.

Parameter List:
    Volume      Required. A drive letter followed by a colon,
                a volume GUID path or a mounted volume. Example: "C:",
                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or
                "C:\MountVolume"
    -RecoveryPassword or -rp
                Adds a Numerical Password protector. Required to begin
                encryption if one has not already been added. Leave the
                argument blank to generate a random numerical password
                (recommended). These passwords have special format
                requirements. Provide any argument such as "?" to read the
                requirements.
    -RecoveryKey or -rk
                Adds an External Key protector for recovery. Optional. Provide
                the absolute directory path where the file containing the
                randomly-generated external key will be saved. Example: "E:"
    -StartupKey or -sk
                Adds an External Key protector for startup. Required if the
                computer does not have a supported TPM and one has not already
                been added. To use a startup key, the saved external key file
                must be located on the root directory of a USB flash drive.
                Since both the -RecoveryKey and -StartupKey parameters produce
                External Key protectors, the saved files can be used
                interchangeably.
    -Certificate or -cert
                Adds a public key protector for the data volume. The user's
                certificate store is queried for a valid BitLocker
                certificate. If exactly one certificate is found, the
                certificate is used as the BitLocker encryption certificate.
                If two or more certificates are found the operation will fail
                and the thumbprint of a valid BitLocker certificate should be
                specified. Optional. Provide the location of a valid
                certificate file or provide the certificate thumbprint of a
                valid BitLocker certificate that will be present locally in
                the certificate store.
    -TPMAndPIN or -tp
                Adds a TPM And PIN protector for the OS volume. Optional.
                You will be prompted for a 4-20 digit numeric PIN that must be
                typed each time the computer starts. Since TPM-only protection
                overrides this protector, any TPM protector on the computer is
                removed and replaced.
    -TPMAndStartupKey or -tsk
                Adds a TPM And Startup Key protector for the OS volume.
                Optional. To use a startup key, the saved file must be located
                on the root directory of a USB flash drive. Since TPM-only
                protection overrides this protector, any TPM protector on the
                computer is removed and replaced.
    -TPMAndPINAndStartupKey or -tpsk
                Adds a TPM And PIN And Startup Key protector for the OS volume.
                TPM-only, TPM And PIN, and TPM And Startup Key protectors on
                the volume are removed.
    -tpm        Adds a TPM protector for the OS volume. This protector
                specifies TPM-only protection and overrides any other
                TPM-related protectors. TPM And PIN or TPM And StartupKey
                protectors are removed and replaced.
    -Password or -pw
                Adds a password key protector for the volume. Optional. You
                will be prompted for a password that will be used to unlock
                the device.
    -ADAccountOrGroup or -sid
                Adds an SID-based Identity protector for the volume. The volume
                will automatically unlock if the user or computer has the
                proper credentials. When specifying a computer account, append
                a '$' to the computer name and specify -service to indicate
                that the unlock should happen in the context of the BitLocker
                service (instead of the user).
    -ComputerName or -cn
                Runs on another computer. Examples: "ComputerX", "127.0.0.1"
    -? or /?    Displays brief help. Example: "-ParameterSet -?"
    -Help or -h Displays complete help. Example: "-ParameterSet -h"

Examples:
    manage-bde -protectors -add e: -RecoveryPassword
    manage-bde -protectors -add e: -rp -rk h:\
    manage-bde -protectors -add e: -TPMAndPIN
    manage-bde -protectors -add e: -Certificate -cf
        "c:\File Folder\Filename.cer"
    manage-bde -protectors -add e: -pw
    manage-bde -protectors -add e: -sid Domain\User
    manage-bde -protectors -add e: -sid Domain\Machine$ -service