Turning off checksum validation is just an option in how WireShark displays the packets, it doesn’t have any effect on the actual network communication. It just hides the warnings from WireShark about checksum mismatches (Wireshark sees it as a mismatch, when the actual checksums are calculated and added to the packet by the NIC after WireShark has seen the packet come through the Windows network stack).
Just to check, you are using the default BigFix port 52311?
Are these machines all VMs? If so, what kind of virtual network are they using? Specifically, is it a NAT interface or a bridged interface, and are they the same network type between all of the test cases?
It’s been years since I used MDT, but my recollection was that a default MDT task sequence included some hardening using SCM templates. I’ve not known those to interfere before, but that might be worth checking.
Another possibility, though I admit rare, might be a bad network card driver. MDT would automatically load a driver based on the driver library in your deployment share, and the vendor image might include OEM drivers in their media. Does it look like the network driver versions are the same, or different, between your two deployment methods?
It sounds like you’ve already covered the Windows Firewall piece. As a last check there, though, I’d bring up Resource Monitor (from the Task Manager -> Performance tab). In the Network tab, expand the bottom pane for ‘Listening Ports’. It should show the BESClient.exe listening on udp/52311. The right-most column would show the Firewall status - where you’d want it to show “Allowed, Not Restricted”.
I’m convinced we’re missing something in the configuration. Since this is a proof-of-concept for you, are you engaged with our TA team who can help with planning and initial setup?
Leaving aside the UDP communication (for the moment), we can also look at the workarounds for UDP traffic blocking, which include Command Polling (where the client checks-in to the relay on a regular schedule to look for new actions/content) or Persistent Connections (where the client keeps an opn TCP connection to the relay).