Config protect does not seem to protect the permissions on files inside /etc/grub.d. After each update i have to run "chmod -x 20_linux_xen 30_os-prober". The permission on this files can be seen as some kind of configuration, because it changes, which entries are added to grub.cfg. For this reason, the permissions (at the least the executable permission) should be protected.
*** This bug has been marked as a duplicate of bug 523706 ***
As a workaround, you can modify the contents of 20_linux_xen and 30_os-prober to get config protection to actually kick in.
thx 4 providing the workaround