I recently fought a battle with a WLAN upgrade, everything worked fine, except for machine authentication, basically any windows computer in the domain was not able to authenticate any user that has not logged on before, since laptops can move around to different users during the day, (school district scenario).
So when a user that has never used that laptop tries to log in, it would not work, the issue was fixed with the customer help by disabling "Single Sign On for this network" option under the WLAN settings on the laptop, or via GPO.
These are basically the policies I used to test this in the lab. Nothing extraordinary or different than you will find in Cisco documentation/forums, it is basically machine authentication, then check if the machine was authenticated and user AD Group.
This is what we ended up with in the windows wireless settings
I went a little further in my testing and tried SSO enabled but this time with "Perform immediately after user logon" option checked and even with different vlans for machine and user authentication, which was the case, and it worked as well.
What you will see in ISE is basically a device hitting the "Machine Authentication" policy log, that happens when the user boots up the laptop, but has not logged in to it yet. When the user types in credetials and hit enter, you will see the device hitting "Machine Auth Staff" or "Machine Auth Student", depending on the AD group membership.
The challenge here is to log out, and log back in with a different user accound, one that has never been used, with these settings you should be able to.
I hope this has been informative to you and can help you saving some time.