Out of curiosity, when you were upgrading these clients - if you look into the firewall policy there is some options for the Windows Firewall (in the Windows Integration tab) should SEP ever be uninstalled or the Firewall component be uninstalled -
I am curious to what those options are set to - I understand that running two software firewalls is not a good idea (never ever), however if you are not utilizing the SEP firewall, perhaps changing the option for "Disable Windows Firewall" to "Restore if Disabled" and then upgrade a client.
I am wondering if there is possibly something not correctly being read or shouldn't be read during feature modify/upgrade
When upgrading clients through the manager or created install packages - by default, part of the installation options is to maintain previous logs, policies, and client-server communications settings.
Technically this is a firewall policy, even though the SEP firewall is not enabled, this is an application/feature level policy - so I am not sure how is it reacting here.
Needless to say - this is why I never recommend that you withdraw a policy type from a policy group (it was common for admins to withdraw firewall policy to groups because they don't want to use firewall). If you are not utilizing a feature, such as firewall, create a blank set, and place an allow all rule and assign that to the groups that are not using our firewall - this will also be a curse as well, if a client happens to have that component installed - their firewall will be in an open state - either you can create a custom feature set from the SEPM and force all users to have the same install set or visit that individual workstation and change the feature set there...
But I am really wondering what that policy was set to previously, then when the upgrade was applied, during MSI (windows installer), read that policy state, and dropped the Windows Firewall -- I could be wrong but it may be worth looking into