I have a handful of workstations (about 1/4) that when I apply a decrypt policy to them, they will successfully decrypt the drive but the System State will stay active. So I still get a EEPC prompt on preboot and in windows, etc. There is only one drive and it shows Decrpyted.
What's interesting is I can also boot into EETech and do a Remove EE, it says drive decrypted but does some protection removal (can't remember the exact verbage. Once I do that the preboot authentication is gone and when I get into Windows all is well, I check the Encryption status and it shows In-Active. But after the next policy enforcement the System State will revert back to an Active state, but the drive stays decrypted. Preboot authentication comes back, etc.
Is there perhaps a local policy file on the workstation that isn't getting deleted or updated properly so it thinks it still needs to apply
There's two different policy settings under the product policy: there's "Enabled" under the "General" tab that controls whether EEPC activates or deactivates, then there's the encryption policy under the "Encryption" tab that controls what disks/partitions get encrypted, when the system is active.
Sounds to me like you want to deactivate. So you can navigate to the "General" tab, uncheck the "Enabled" policy setting, save the policy, and then trigger a policy enforcement on the client. You won't need to touch the Encryption settings ; if the policy isn't "Enabled", all drives get decrypted, and then pre-boot is removed.
Hope that helps!