Not that familiar with EEPC but I did find:
Manually check encryption status (bottom of the post): https://community.mcafee.com/thread/64899?tstart=0
5 Deploy EEAgent 7.0 and EEPC 7.0 to the client system where 5.x.x is currently installed.
6 Restart the client system when prompted. The EEPC 7.0 encryption status dialog box shows the
status as 'Upgradable'. The user will still see the 5.x.x PBA.
7 Force a policy enforcement (during ASCI) from the McAfee Agent. The EEAgent now queries the
system for the domain users that are logged on to the client. The EEAgent then sends the collected
data to the McAfee ePO server. On successful policy enforcement, the EEPC 7.0 encryption status
dialog box shows the status as Active.
"Also, I am quite perflexed as to why one system showed up as Active for one week, became inactive the following week, then Active this week, without us doing any form of remediation." -> It sounds like you might need to review your encryption policies, tagging and system tree sorting / sync task. Are you applying encryption policies to systems on a particular folder in system tree? are you applying encryption policies to systems with tags? are these systems being moved OUT of their intended folders manually or due to a sync job with active directory or others? I'm inclined to think systems that start decryption, are somehow losing their encryption polices. so find out where they exist in system tree, where policies are applied.