Current setup is as follows:
- We have Defender for Endpoint P2 and Defender for Servers licenses.
- Non-persistent (Citrix PVS) Server 2022 (September iso - build 20348.1006)
- Downloaded the Server 2022 VDI onboard script for non-persistent
- Created a GPO with Computer startup script Onboard-NonPersistentMachine.ps1 (we want single entry for each device)
- Server 2022 servers have full internet access - allow all outbound and no proxy server
- In Defender 365 Portal - Advanved Features we ENABLED (ON) Tamper Protection

When we onboard the Server 2022 with the VDI non-persistent script (Onboard-NonPersistentMachine.ps1) for the first time and run the MDE Analyzer we get no warnings/errors.
But when we reboot the Server 2022 server and the server get's re-onboarded with the VDI Onboard-NonPersistentMachine.ps1 script , and we run the MDE Analyzer we get error below:

"121040 AntiSpoofingNotActive Device is anti-spoofing capable but is not yet registered with cloud. Please ensure connectivity to EDRCloud CnC URLs is not blocked. Contact Microsoft support if issue persits."

When we offboard the server again and onboard with the 'WindowsDefenderATPOnboardingScript.cmd.' script and run the MDE Analyzer we get no antispoof warnings/errors, but this results in multiple devices that we not want.

Nex to that we have a second issues , if we view the Tamper Protection setting on the Server 2022 server in Security Center the Tamper Protection status is OFF (and it says managed by organization).
When we go look in the Defender 365 Portal and click the security recommendations for the Server 2022 server it also says 'turn on Tamper Protection' (although we have it ON in the advanced features).