That's the thing really, if you're including SEP in the base image, then there's no realy reason to script the process as it should only need to be performed on the "gold image" machine prior to you taking the image. As such, I'd recommend going with the tool provided.
If you think you'll need the process to be run silently again in the future however, then you will have to disable tamper protection to start messing with the SEP reg hives (or set it to "log only")
#EDIT#
Essentially, the Tool is signed by Symantec and is therefore authorised to make the necessary reg changes. Performing the changes manually or via a script (as you were attempting) requires disabling tamper protection.
As the article suggests, it's perfectly possible to make the changes using a script. All you have to do as far as security goes, is make sure you re-enable tamper protection on the target group after the image has been taken. This has the effect that when new endpoints (created from the image) check-in, they will automatically re-enable tamper protection again.