I have searched all over the web but cannot find a complete answer to this: How to enable Bitlocker on a laptop with TPM, and store a file with the Bitlocker recovery key and TPM password by USING THE manage-bde command line tool. The file should be the same as when created in the Bitlocker manager UI. I DO NOT want to save to AD. The same question was asked here but was not answered correctly.

The goal is to write a script to be used with an endpoint manager.

I have tried the following:

manage-bde -on C:

Works fine, but does not create or save a key.

manage-bde -on C: -rk C:\myfolder\

and

manage-bde -on C: -RecoveryKey C:\myfolder\ -rp

The output from the last two methods state that a key has been saved to c:\myfolder and so on, but that is not the case. It also says that I have to:

1. Save the password in a secure location
2. Insert a USB flash drive with an external key file into the computer.
3. Restart and run hardware test
4. type "manage-bde -status" to check if the hardware test succeeded

After a restart, I get an error saying that Bitlocker could not be enabled because

the bitlocker startup key or recovery kpassword cannot be found on the USB device.... C: was not encrypted.

Why am I asked to insert a USB?? I simply want to encrypt the hard drive and save the recovery information to a file automatically. Is that too much to ask?

Help please!