Windows domain admin users are not able to authenticate via ISE with AD when logging on to troubleshoot a remote PC. It looks like this is due to a bug "AD Protected Accounts not supported with ISE."
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy39859
I imagine that this must be causing problems with the workflow of other organizations as well. Has anyone found a creative workaround?