Time
So you need to monitor your DCs for events from legacy clients. But you need to do this for 30 days to catch any computer password resets. If the August patches didn't reach your DCs until late August as Microsoft like breaking things (Server 2016 and security options in secpol this month). You still need to wait to turn on enforcement mode or exclude some computers.