I think the customer or consultant is being somewhat shortsighted. They are going to either have to cripple their policy distribution process, or cripple the protection. Also consider as new versions of SEP are implemented (including simple Maintenanvce Patches) the functionality could change without notice therebye resulting in further problems for the customer.
Figuring it out would likely be possible using Filemon, and Regmon (Yay SysInternals), however I think this is inadvisable for the customer to do.
Looking to actually DO this I would be asking: Will the SEP client ever speak to the manager?
If this is changed only by script on a managed SEP Client:
- The client will eventually speak to it's manager, and get an updated configuration resulting in this setting be reset to the SEPM configuration.
- If enabled Tamper Protection is likely to go Ballistic when the script attempts to modify the registry key (or drop in a Sylink/whatever is needed).
- If they are configuring the SEPM the same way then I ask - why the need to deploy this way?
If this is on an unmanged SEP client:
- An unmanaged client detector on an unmanaged client - intriguingly useless. When will the data ever be read?
- I would fear that the data will be cached locally for an unknown and undefinable period of time, in a format that is likely not easily accessible, or (consider this) flushable. Without the ability to flush this data, and no uploading - the client could become unstable.
About the only supported way to accomplish this (imho):
- Use "Third party content management" to enable the outbox. Then using a "staging SEPM" collect a policy file with the setting configured as desired, and drop it in the Inbox.
- Upon my third or fourth consideration is occurs to me that Unamanged Detector is an individual computer setting, and may not be in the policy settings - which means this may not even work.
The only real application I can think of would be to deploy settings to clients that log into a segment of the network where their SEPM is not present (VPN?). In that case they should address the root isssue rather than this workaround.
Hope this helps - Joz
(Edit x2: Further thoughts)