Our deployment has the Active Directory Profiling Configuration enabled, and it appears to be working, I see the AD-* attributes for profiled nodes, but Active Directory is logging some interesting "errors" from our ISE node:

05/12/2020 03:58:05 PM LogName=Microsoft-Windows-NTLM/Operational

SourceName=Microsoft-Windows-Security-Netlogon

EventCode=8004

EventType=4

Type=Information

ComputerName=ad-server.domain.name 

User=NOT_TRANSLATED

Sid=S-1-5-18

SidType=0

TaskCategory=Auditing NTLM

OpCode=Info

RecordNumber=139156223

Keywords=None

Message=Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.

Secure Channel name: ISE-SERVER

User name: workstatoin@domain.name

 Domain name: domain.name

 Workstation name: \\ISE-SERVER

 Secure Channel type: 2

Audit NTLM authentication requests within the domain domain.name that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to any of the Deny options. If you want to allow NTLM authentication requests in the domain domain.name, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled. If you want to allow NTLM authentication requests to specific servers in the domain domain.name, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in the domain domain.name to which clients are allowed to use NTLM authentication.

Is there some configuration on the domain controllers I am missing?  I verified the ISE-SERVER is joined to the domain, can fetch groups/users, auth is working as expected