Hello, I have the same issue of SymSpec.
In my organization we have 190 clients with Symantec Endpoint Protection Installed.
A week ago I upgraded the Endpoint Protection Manager to latest version (12.1.6 MP3) and a few days ago I upgraded all our clients to the same version.
As you can see from the picture, I have 96 out of 190 clients that are showing as "Disabled" in the home of SEPM. Besides that there is a "Network Threat Protection Failueres" on those 96 clients.
But if I check some of the client showing as "Disabled", the SEP on the client doesn't detect any problem.
This thing only happens from when I upgraded the clients and the SEP manager.
One thing to note is that by policy I disabled the firewall since we have a perimetric firewall, but I left enabled the Network threat protection.