[Leseratte_10]

I agree with that, protection against tampering as in, protection against data exfiltration. But if you allow a user to set a hard Admin password, that's going to cause the same issue - people forget that password, devices are being sold without removing the password, and so on. Like the crap with some newer business laptops where losing the BIOS admin password means replacing the mainboard.

Protection against tampering is stuff like HDD encryption. If I have a laptop with an encrypted HDD, an attacker can't tamper with it. Sure, the attacker can format the HDD or boot from a flash drive. But that doesn't give him any of the data on the device, and he also can't do stuff like install a backdoor onto an existing system. All he could do would be to install a new (tampered) system which the user is going to notice.

Just go on eBay and seach for stuff like "Lenovo BIOS locked". A bunch of technically functional Laptops that are now basically eWaste just because there's no way to reset a fucking password. Is that necessary?

What's the point? The laptop is stolen anyways, the HDD is encrypted with a password. Do they think the thief is going to voluntarily return the laptop to where it was stolen from just cause he doesn't have the BIOS password?

The admin is the person who can prove that they're in physical possession of a device (and, if necessary, can do stuff like open it up and remove the BIOS battery, or switch an internal jumper or whatever, to prevent random people from coming and resetting a device in a couple seconds).