SEP also offers an out-of-the-box application and device control policy that protects its own files, registry keys, etc.
I found 2 ways in which a user (or a script) can disable SEP (even though it is password protected).
However, when I enabled the rule, these methods of disabling SEP didnt work.
The rule is called "Protect client files and registry keys" and is disabled, and set to Test(Log only) by default. All you need to do is go on your app&dev policy, enable it and set it to production.
I usually prefer testing the policy on a test PC prior to pushing the policy throughout all of the clients.
I have attached a screenshot of the policy just FYI.