Same here, no signs of trouble with DCOM hardening. Though may be related to DCOM or anything for that matter, the symptoms don't match at all in any way shape or form to either Microsoft's or Checkpoint's DCOM Hardening guidance. Spent hours on the phone with TAC on Friday trying to troubleshoot it. I'm sure someone will figure it out and create a hotfix or something else, but in the mean time just install Identity Collector and your problem will be solved in 20 minutes and it works. While nice to have a dedicated VM, you can stand it up on most any VM in a pinch and then move it to a dedicated VM later. It's surprisingly simple and not sure why I had a mental block about doing it 6 months ago but should have. Below is an unofficial quick cheat sheet on the install steps. Its a 33MB installer that only takes a minute to install and about 20 to configure. You can do some fancy stuff in there later on, looks like there's integration with Cisco ICE, Aruba and some other stuff. Will have fun sometime later with that but out of the box vanilla config is quick and easy to replace AD Query.
On the gateway object in smart console select Identity Awareness. Then select Identity Collector check box. Hit the green + arrow and add a host object with the IP of the machine that will have IDC installed on it. It will generate a shared secret, save this secret. Install policy.
Install IDC from this sk, sk134312. After it is installed click the * (blue star for new object). Create a Domain, name it whatever you want. The Identity Collector requires an AD user that belongs to the default Event Log Readers group. Add that user and click test, then after a success click okay.
Click the blue star * again. Active Directory > Fetch Automatically > Provide the DC IP. Click Fetch > OK.
Next create a query pool (in the top left). Give the query pool a name and click the check box in the top left to select the Domain Controller.
Next create a Gateway object. I would name it the same name in Smart Console. Put in the IP address of the gateway in Smart Console. Apply that saved shared secret, add the query pool. Click test then trust. Click OK.
After you confirm it's all connected uncheck Active Directory Query on your Gateway object in Smart Console. Install policy.
On the CLI on your gateway you can verify connectivity with this command.
# pdp connections idc
P.S. If you have a domain controller that identity connector won't connect to and you can ping it and looks good otherwise, on the DC itself, check Windows Firewall & make sure to Allow a Program Through the Firewall "Remote Event Log Management" and Domain network is Checked On