as they do domain logons, probably, then why NTLM ? (regardless I think it should work, but have no XP in lab anymore).
If you have Collector agent then read events from those XP workstations via WinSec or DCAgent and it worked for me in past.
Set Collector's log to debug level temporarily and see why those 3 XPs are having a hard times.
Maybe the can get into FSSO list but they are removed during workstation check as by default MSFT workstations do not have Remote Registry Service running and I guess that XP do not support WMI as it came with Win2000 and later models as standard API replacing RDP/RPC calls.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.