When you put a device into adaptive mode it is based off the current set of rules. Meaning if I have a rule that allows NTP both ways then I will not see any events showing NTP would have been blocked inbound since the rule exists already to allow incoming NTP?
Correct. If network traffic is allowed/blocked via rules above the Adaptive mode rule, then adaptive mode will not be applicable. You can still see the NTP traffic being allowed/blocked in the HIPS ClientUI Activity log, if logging is enabled. The event would show which firewall rule allowed/blocked the traffic.
To get a good view of what would be blocked we should create a rule set that says block all incoming to get an idea of what is actually getting blocked vs enabling adaptive mode with McAfee's generic rules which includes rules we have no intention on using.HIPS Firewall events are not sent to ePO, so creating a BLOCK ALL rule will not show you the info you are looking for. Reviewing Adaptive mode client rules might suffice for what you're trying to look for, but it's applicable to the above criteria (fw rules that block/allow the traffic by policy will not be applicable to Adaptive mode functionality).