Just a quick question. I have enabled BitLocker with TPM-Only protector and was just wondering if I need to set an Admin BIOS/UEFI password to prevent someone from changing the UEFI settings. I also have Secure Boot enabled as well along with the following BitLocker protection policies below.

In my UEFI boot settings, I have Windows Boot Mannager and then my Internal HDD as the boot order.
Boot from external media is enabled, because I tend to reinstall Windows from my Windows 10 bootable USB flash drive.

With all these below BitLocker settings and policies, do I really need to set an Admin or Supervisor password to prevent an attacker from changing the UEFI settings in case the laptop gets stolen?

My current BitLocker protection settings from the Windows 10 v1803 Security Baseline.

Disable new DMA devices when this computer is locked:
Enabled


Allow Secure Boot for integrity validation:
Enabled




https://support.microsoft.com/en-us/...-reduce-1394-d

Prevent installation of devices that match any of these device IDs
PCI\CC_0C0A


Prevent installation of devices using drivers for these device setup classes:
{d48179be-ec20-11d1-b6b8-00c04fa372a7}