Not really a solution, but this may help you figure out what is causing it.
Check your event log by running the "Event Viewer" app. Go to Applications and Services logs -> Microsoft -> Windows -> Windows Firewall with Advanced Security and view the Firewall log.
That log should log a event whenever the firewall is enabled or disabled with a event similar to
A Windows Firewall setting in the Public profile has changed.
New Setting:
Type: Enable Windows Firewall
Value: Yes
Modifying User: MyMachine\srchamberlain
Modifying Application: C:\Windows\System32\dllhost.exe
You can check the Modifying Application property to see which app initiated the firewall change.
UPDATE 1:
So it appears something is running netsh on a semi-regular basis. I would check Applications and Services logs -> Microsoft -> Windows -> TaskScheduler -> Operational in the event viewer to see if it is a scheduled task doing it.
If that does not show it being run run secpol.msc and and enable Audit process trackingAudit process tracking to see who started netsh, once it is enabled you can go to the Windows Logs -> Security and find the "Audit Success" entry for that process.
Here is a example of me manually starting notepad.exe with it on.
A new process has been created.
Creator Subject:
Security ID: MyMachine\srchamberlain
Account Name: srchamberlain
Account Domain: MyMachine
Logon ID: 0x71FA757
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1510
New Process Name: C:\Windows\System32\notepad.exe
Token Elevation Type: %%1938
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0x938
Creator Process Name: C:\Windows\explorer.exe
Process Command Line:
The thing we are most interested in is the Creator Process Name
