Policies have been defined to go to a set of computers with an exclude defined ended up going to computers in the exclude filter.
There is a very unlikely scenario where during a filter update an excluded computer could fall briefly into a target allowing things to run on computers that should have been excluded.
A Maintenance Window policy has a target with the following definition
Include all Windows Workstations
Exclude a specific location like US or South America
When the Delta Resource Membership Update runs it clears the membership of the filter first then rebuilds it. If this takes 1 second and a computer that was in the exclude example above checked in, in the middle of that 1 second it could possibly get the policy if the membership cache was out of date and it had to evaluate its applicability again.
NOTE: An updated version of this stored procedure was added to our ITMS 8.5 release.
To resolve this backup the existing stored procedure spResourceTargetDeltaUpdate and execute the attached file against the Symantec_CMDB database to create an updated version that does not clear the membership as the initial step.