Endpoint Protection

Yesterday I setup a few client computers in one of our facilities as unmanaged detectors to help clean up rogue devices. I have gone back today and checked what was detected to remediate and setup exclusions on each unmanaged detector.

Looking at the list of about a dozen devices, three have been verified as working SEP 11.0.5 clients. I can see them in the console, and they are communicating with the server(green dot and all).

I understand that the UD compares the data it gets in the ARP traffic to the client table in SEPM, but what happened here? What could cause the machines to show up as unmanaged devices? I know for a fact they were not recently installed, or anything of the such.

Any ideas?

You'll probably find several posts on this topic with a search, including 1 or 2 from me.
This feature has its issues, one is false detectin like you see, another is detecting devices that are exculded from detection, especially virtual devices, etc. and falsely reporting APs as computers, etc.
It's been that way since at least MR4, through RU5 and I'll guess RU6a as well, although I stopped using it lately.