I'm trying to determine where / what I need to check to determine why a policy is out of compliance. I'm guessing it's something fairly simple, but to this point it has eluded me.
Go to Patch Management and check there for the items you've defined in your policy (Scan Schedule, Automatic Update, Windows Auto Update, Reboot Action, File Source, etc.) If there a conflicts, you'll get the Out of Policy error.
Ok, I've got it narrowed down to something with the Patch Procedure Schedule of the policy in question.
I hovered over the Red Script icon while in Policy Management > Assignment > Machines, and the Patch Procedure Schedule Object is showing with a Yellow Exclamation mark.
And I've noticed that if I disable the Patch Procedure Schedule in the policy, the policy compliance icon goes green.
The exclamation mark indicates an override condition. An override occurs when a policy object that is defined in a policy assigned to a machine has been changed outside of policy. Given what you've described, someone has changed the patch procedure schedule from within the Patch Management module. The override notification is sent to the Policy module and the override is registered. As long as the override exists, the machine will remain out of compliance.
To clear the override and allow Policy to manage the setting again, navigate to Policy > Machines, select the machine, and click the Clear Override button across the top ribbon. If you want to immediately push the Policy-defined settings to the endpoint, click Reprocess Policies button (after Clear Override). Reprocess Policies will push the policy-defined settings to the appropriate machine. If you do not click Reprocess Policies, the Policy will update the config at the next deployment interval. The machine will return to "In Compliance" after clear override and reprocess policies.
So I guess a follow-up question would be... Assuming that Patch Management has been setup under the Patch Management section, do I need to enable or set anything under those sections at the policy level (except for obvious specific client needs)?
My questions for this are because our policies have gotten out of control (we've got dozens of workstation policies for little things, no SMART monitoring, different procedures, etc.), and we're trying to move toward a uniform policy for monitoring, patching, procedures, and alerting across all workstations. Once we achieve this uniform policy, we could then adjust each client for their specific needs.