Here is the guys updated response (he is trying to be helpful at least now), although this solution will still not work for us 100% as we do have exceptions out there to running the firewall, such as hosted servers where firewall needs to be off due to vendor requirements (or even apps with dynamic ports and the vendor doesn't document anything), and Server 2003 servers which offer not dymanic port settings through GPOs, and this is needed for our backup softwrae to work, so for 2003 servers we still have running the firewall is off. But we still have them, and always have had them since version 11, in the same SEPM groups with other Windows Server versions like 2008, 2008 R2, and now 2012. I also, do not like you have to wait for it to reboot. If you push clients, and delay the reboot to after hours, or the weekend, there will be periods where your servers are NOT running with any firewall at all. This change in 12.1.2 makes no sesnse to me:
----------------------------------------------------
After some testing, I see there is a way to re-enable the windows firewall using the SEP firewall policy on the SEPM.
In the SEPM, go to the Policies tab.
Click Firewall, and right-click the firewall policy, choose edit.
On the left side, choose Windows Integration.
Under the category "Disable Windows Firewall", choose "restore if disabled".
This will require a restart to finish enabling the Windows Firewall, because this is a startup command.
After you are done with these steps, before clicking OK, go back up to Overview on the left side. Click the Used By tab. Assign this policy to all groups, or the groups that need Windows firewall enabled. Click OK.
*******************************************
In order to export a client install package with these above settings included, so you can have this configured next time you push a client upgrade/install from the SEPM, do these steps:
Click Admin tab. Click Install Packages.
Right click a client install package, for example Windows 32bit. Choose Export.
Choose a group under Export Settings that has the above firewall policy. According to my testing, all of this should work fine even without Network Threat Protection component installed.