I am using machine and user authentication in the supplicant. 

On my policy I am using a was machine auth compound rule. So only the user auths if the machine did.

Above that a pure Machine auth rule

I am assuming its because the Computer is not connecting automatically at boot up.

I didn't really address your question ... sorry. I guess for convenience you should enable auto connect for those users who are expected to use that service and get connected. Can't you push a group policy update to those users only, and not to the other user base that you're trying to avoid using the wifi? Unless you've locked down Windows config in such a way that unwanted users can't manually connect to the wifi, you won't be able to stop unwanted attempts. But ISE will only authorize based on the AD Group membership.

Are you trying to avoid lots of failed attempts (Live Log error) or what is the use case?

Regarding the error "22007 Username attribute is not present in the authentication request" when you untick the auto connect, which SSID do the clients end up connecting to? Do they manually connect to the intended SSID (which you didn't want them to auto connect to)? If so, then that would possibly explain my theory - they can only connect to the SSID while logged in - hence, they will trigger a user auth to the network - ISE might fail that because the device has not been Computer authenticated (that MUST work and is not in the user's control - have a look of the devices are domain joined and also what happens when those machines boot up - the network auth MUST be visible in ISE) - you can trigger this with a user log off, or a reboot.

When I untick autoconnect. and the user trys to connect before login, It says fails to connect to network. And in the ISE live logs those are shown above as the errors. A reboot or logoff didn't help.

I do have 2 group policys for Auto and Manual connect. 

Very odd. Regardless I am going to push my customer to do a full auto connect GP as it was part of my original design.

In ACS it was working. As this is an ACS to ISE migration.

yes odd indeed. Last question: did the ACS perform any Identity Rewrite (found in ISE under the AD External Identities Advanced Settings tab) ?

Functionally I wouldn't have expected ACS and ISE to differ in how PEAP is treated. At least, a basic machine auth should succeed, regardless of auto connect. Having said that, I had no idea that the auto connect could break PEAP.

I was thinking upon the rewrites too. as the host had the $ after. I am not using any in ISE. ACS - I'm not too sure where to find if it was in use.

I don't have any ACS's to look around - I couldn't find it in the user guide either. We might be barking up the wrong tree .. because the format of DOMAIN\host$ is valid - if you put that into ISE's "Test User" Lookup, you should find the computer account. It seems that Microsoft appends the "$" to machine account names and therefore these should not get rewritten.

If you had the time and inclination to do so, then perhaps take a tcpdump of the broken case, and the working case, and analyse the first Access-Request packet of each case in Wireshark - there might be a clue in there. 

You might also try getting rid of the MAR attribute for 'WasMachineAuthenticated' to see if it works. MAR has many known drawbacks and caveats that can impact user experience as documented in Machine Access Restriction Pros and Cons.

We strongly recommend against using MAR and suggest moving to a more effective way of binding machine and user credentials like EAP Chaining with EAP-TEAP.