I'd suggest running our MER data collection tool on an affected client, and contact Support with the information - including your steps to reproduce, basic as they may seem.
We can identify/confirm what the issue is and hopefully provide a simple solution.
It is odd to only be a single rule that won't "enforce"... but that observation actually helps identify the nature of the problem.
Was afraid of that. OH well guess I will reserve 4 hours or so to spend on the phone w/someone who doesn't speak english.
On our machines that have 8.7i and upgrading to 8.8, some will enforce all the policies, and others will not.
seems to be the Access Protection policy that's not enforced at all (on about 50% of the machines) along with the auto-update schedule not being removed (again on same machines)
no rhyme or reason why EPO isn't applying the policy