This analytic rule is designed to detect unauthorized modifications to the Windows registry that target BitLocker settings, a crucial part of system security related to disk encryption. The detected activity is indicative of attempts to manipulate these settings, as seen in malware like ShrinkLocker, which alters registry keys associated with BitLocker. Specifically, it looks for changes that allow BitLocker to be enabled without the trusted platform module (TPM) or that modify startup key and PIN configurations. These alterations can significantly weaken BitLocker's security, facilitating unauthorized access and posing a data breach risk. The rule analyzes events captured by Sysmon EventID 13 and searches for specific registry path conditions and value states that are critical to maintaining proper BitLocker configurations. Identifying these changes proactively contributes to fortifying encryption protocols and protecting sensitive data from attack.