Tamper Protection requires MDE enrollment

[rbalsleyMSFT]

The idea to include only Tamper Protection for Defender AV was to reduce the number of policies needed to be set. Defender AV defaults set Real-time protection, cloud protection, etc. but these can be overridden by an admin or an attacker. Instead of explicitly setting those policies, Tamper Protection will configure and lock those settings down so they can't be changed, reducing the need for an admin to explicitly set policies that are already configured by default.

Since Tamper Protection requires the device to be onboarded to MDE, this causes issues with the policy import script. The policy imports fine, but throws an error if devices that are targeted aren't in MDE.

Fix: Set the policies that Tamper Protection would configure natively.

Test: Tamper Protection docs suggest MDE P1 is sufficient, however I need an A3 tenant to validate if I can enroll a device to MDE without A5. Working on getting an A3 tenant set up to validate.