I have run into similar items where ISE seems to remember what the user was last using and seems to fail if that rule is missing etc.
I ran into this when I added a new MDM server, and changed the existing rule to point to the new server. ISE seemed to remember they were using the old server and just denied everyone. I had to purge their endpoints to get it to check the new server.
I guess all I can say is certain changes it does not like. Not sure if it's a time thing, but I find just making a new rule instead of changing and placing above the one to replace will eventually take over and you can remove the old rule.