Spoke too soon.  I still have about 60 endpoints using 802.1x native Windows supplicant that require occasional reboots to fix the issue.  Windows 10, Server 2012/2016 across multiple sites and using various switch model types.  I'm trying to find a common denominator here as it's preventing up from enabling Low-Impact mode. 

As others have said, this is a Windows 802.1X native supplicant configuration issue.

Verify these devices have your necessary Group Policy Objects (GPOs) from AD applied for certificates trust like your properly working systems.

Thanks Paul.  If I look in the RADIUS Live Logs for one of the endpoints that "failed" it sees it properly.  False positive is right.  All the PCs get the same GPOs which include the 802.1x config as well as the certs needed from the internal CA.

Hi Paul,

How exactly do you disable this alarm?

I've been looking into the logging options but cannot seem to find it. Googling this didn't help much either, it seems like Cisco doesn't seems to like us disabling any alarming.

Not sure if its too late for this one. You go to:

Administration-System-Settings-Alarm Settings 

I have to totally agree with that statement. the alarm is a full false positive one. no one is acctually complaining about connectivity loss in a deployment with around 1000 wired endpoints, even if those alarms are occuring from time to time. 

@thomas @paul @Darkmatter @Joe Kiema @hennie001 @jan.nielsen 

After a long time calling MS, TAC, these forums, I was able to determine my root cause.  It boiled down to a GPO change in Windows 10 so that the endpoints attempted multiple connection attempts instead of MS's default of 1 then waiting 20 min.  The other Community post below has all the details /w screen shots.

https://community.cisco.com/t5/network-access-control/5411-supplicant-stopped-responding-to-ise-quot-use-eap-tls-for/td-p/4084578

Thanks a lot! Will check this somewhere next week when i have some more time to tinker.

I'll let you know when improvements are seen.