Hi Ryan and Christian,
I've obtained some information I hope will be helpful.
Policy out-of-sync can occur in few scenarios:
- There were some changes made to the profile previously and the endpoint profiles are not updated to the endpoint, probably because the endpoint is offline or EMS is not accessible at the moment.
- There are some issues with EMS in syncing policies which will need TAC's troubleshooting and further checking.
We highly recommend contacting support to check if EMS is working properly. Before creating a ticket, you can click on the out-of-sync users to check if the endpoints are currently managed by EMS, and if the endpoint is online. If the endpoint is offline, check with the end user to make sure the endpoint is turned on and FortiClient is connected to EMS for the policy to sync.
For Windows servers, make sure you have created a new FortiClient installer without application firewall enabled in EMS to make sure FortiClient is working properly.
I hope that helps.
Stephen - Fortinet Community Team