Just a quick question. I have enabled BitLocker with TPM-Only protector and was just wondering if I need to set an Admin BIOS/UEFI password to prevent someone from changing the UEFI settings. I also have Secure Boot enabled as well along with the following BitLocker protection policies below.

In my UEFI boot settings, I have Windows Boot Mannager and then my Internal HDD as the boot order.
Boot from external media is enabled, because I tend to reinstall Windows from my Windows 10 bootable USB flash drive.

With all these below BitLocker settings and policies, do I really need to set an Admin or Supervisor password to prevent an attacker from changing the UEFI settings in case the laptop gets stolen?

My current BitLocker protection settings from the Windows 10 v1803 Security Baseline.

Disable new DMA devices when this computer is locked:

Allow Secure Boot for integrity validation:


Prevent installation of devices that match any of these device IDs

Prevent installation of devices using drivers for these device setup classes: