The software restriction policy of the workstation differs from the GPO domain controller

I am trying to add a certificate rule to my software restriction policies to allow a signed executable file.

The application with which I am working extracts an exe to the appdata / local / temp users (blocked with a route rule) with a random name and tries to run. Currently it is being blocked.

When researching, I ran rsop on some workstations and found that there were no certificate rules listed in "Additional Rules".
Regarding the application options, on the workstations, I see "When applying software restriction policies:" is set to "Ignore certificate rules". This same configuration is set to "Apply certificate rules" on the domain controller. I assume that workstations do not receive certification rules if the option is set to ignore.

The "Precedence" property sheet shows that the correct policy is enabled and winning.

These certificate rules have worked in the past, however, I am not the usual system administrator, so I am not sure what may have changed.

Why do rsop workstations show something different than what is configured on the server?