First, you'll want to make sure that TPM is enabled on your target devices. Then you'll want to look atconfiguring Group Policy to back up your recovery keys. Once you've covered that, you’d build and capture your reference virtual machine as normal.
When you get to deployment, you'll specify settings in the Answer File to join your domain, and run the command below, during the First Logon Phase. (The Task tab in the advanced settings of the Answer File wizard allows you to specify commands.)
manage-bde.exe -on C: -RecoveryPassword -SkipHardwareTest
Note: When planning deployments, migrating existing user data on devices with BitLocker enabled, you will need to disable SecureBoot and suspend BitLocker in Windows before proceeding with the deployment.