The issue was that the hub is automatically secure-encapsulating commands to securely-included devices. It’s now required that devices support everything securely that they support normally, but the first generation of Schlage locks predates that requirement so they were ignoring the secure-encapsulated AssociationSet and ManufacturerSpecificGet commands.