When a detection check is found as detected and the policy set as compliant, on rare occassions the policy will execute remediation regardless.
This is a defect. The issue is caused when the SMP server, while evaluating client policy configurations, sets the remediation to run regardless of what the outcome is.
This fix will be integrated in version 8.5 RU4 (possibly that release will be called 8.6).
A fix for 8.5 RU2 is available. Please follow these instructions to apply:
The fix resolves the issue and prevents the server from applying the incorrect execution instructions to the remediation task, forcing it to conform to the results of the compliance check.