Hi,
the product works in this way:
1) change a policy in the SEPM
2) the SEPM publishes the new policy and update an index file with the new hash of the policy
3) at the heartbeat, SEP client checks the index file in the SEPM and compare it with the one it already has
4) in case of differences, the new policy is downloaded and applied, otherwise nothing happens
ALL policies are managed in the same way.
If you manually change a registry key in the SEP client, nothing changes in the index files hence nothing is reapplied. You cannot reapply/force a policy already applied. The trick is to modify a policy in a non-significative way (like the description) and save it, this will change the hash and force the policy to be reapplied.
Now, what can you do to prevent SEP policy tampering?
Users should not have enough privileges to change the registry leys;
In SEP 11.0 you can enable the Application & Device Control Policy to lock down SEP registry keys and files;
SEP 12.1 has registry and file protection enabled by default.