I've been testing this out today, and have observed the same behviour as in RU2, RU2MP1, and RU3 whereby SEP clients that have the FW disabled by withdrawing the policy are still reporting as "disabled" in the SEPM's Home page report for "endpoints with disabled components".
This appears to contradict the below fix in the latest notes:
Client reports Firewall Status as “Disabled”
Fix ID: 3115966
Symptom: If you disable or withdraw the firewall policy from a client group, the clients display as “Disabled” on the Symantec Endpoint Protection Manager Home tab, under Endpoint Status. Clicking on the Endpoint Status chart shows the Firewall Status as “Disabled.” The Firewall Status should only display as “Disabled” if the end user disables the firewall.
Solution: Implemented the creation of a registry key during a clean installation, kept during migration, to correctly trigger the “Disabled” firewall status report.
http://www.symantec.com/docs/TECH211972
This is for a machine and SEPM that has been upgraded from 12.1RU2. The description seems to suggest the fix only applies to new installations. I'd like to see confirmation if this is correct, if an uninstall/reinstall will implement the fix, and why it was chosen to omit existing clients from this fix.
Cheers guys!