If a Symantec Endpoint Security (formerly Endpoint Protection 15) client is installed on a device which was previously sync'd to the Cloud Portal through a cloud-enrolled Symantec Endpoint Protection Manager (SEPM), it will automatically move to the group it was previously in.  This can even happen if the SEP 14.1/14.2 client is uninstalled before deploying Endpoint Security to it.  Below is a sample sequence of events.

1. Install On-Premise 14.1/14.2 SEPM and deploy clients to a group called "Test_Group"
2. Enroll SEPM with the cloud portal and let everything sync
3. Uninstall the SEP 14.1/14.2 client from the device
4. In the Cloud portal, deploy a package: Devices -> Installation Package -> Direct Installation package (Default group), then export the package and install
5. After installation completes, the Endpoint Security client will move to the "Test_Group" instead of the Default group

There are two methods to avoid this scenario:

1. Do an inplace upgrade of the SEP 14.2 client to Endpoint Security (formerly SEP 15).
2. Delete the device through the SEPM, let the deletion event sync with the Cloud Portal, then proceed with the Endpoint Security deployment after uninstalling the existing client.