I'm having a similar issue and have yet to receive any useful assistance from Symantec Support. We also use SEP SBE.
It makes no difference whether I have Smart Firewal enabled or disabled, Group Policy updates fail with error 800706ba.
With Smart Firewall enabled and a custom rule to allow all inbound and outbound traffic on all ports makes no different, GP updates fail.
Whether Smart Firewall is enabled or disabled, I can manually enable or disable Windows Firewall rules. So, I have done that on some test systems and GP update is then successful. But of course I don't want to go to every single computer to make these configuration changes. I want centralized administration, and clearly SEP is getting in the way of that.
I also believe that I have discovered a flaw. When a client system with SEP SBE restarts, it can take several minutes before SEP goes into Protected mode. While it's still in Unknown mode I am able to manually turn off the Windows Firewall. And even once SEP goes into Protected mode, the Windows Firewall remain off. I have even restarted these test clients and WF stays off. Perhaps that's by design, but it seems like a huge flaw to me, since it's a very clear way to defeat part of SEP's protection.