After opening a support case (and getting my profile corrected, hence change in identity), I ended up figuring out my problem on my own. Turns out, there was a group policy to modify HKLM\System\CurrentControlSet\Control\Session Manager. Someone had pushed a BootExec key to accomplish something, only they set it as a String Value instead of a Multi String value as it should have been. By setting it to a String Value, SEP wasn't writing "sisnat{GUID}", or if it was, Group Policy was refreshing and overwriting this key. As part of an upgrade of the SEP client, whether it be by patch file provided by Symantec or pushing the full version from SEPM, the final step is to create "sisnat{GUID}.exe" to C:\Windows\System32, and add data to the BootExec key. During a reboot, "sisnat{GUID}" executes, setting all the correct reg values for the new version of SEP.
Luckily, I was able to fix this group policy to push the key as a mult string value, and only run once. I was then able to add the appropriate "sisnat{GUID}" to this key, restart the server and complete the upgrade process of the SEP client without having to run cleanwipe and reinstall the latest SEP client. I was also able to find additional OU's with similar Group Policies and fix them before they become an issue for the next person to upgrade SEP!