This is the configuration that I have on the switch:

aaa new-model
!
!
aaa group server radius ISE
server name DC-ISE-01
!
aaa authentication login ISE-TACACS group tacacs+ local
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 ISE-TACACS group tacacs+ local
aaa authorization commands 15 ISE-TACACS group tacacs+ local
aaa authorization network default group radius
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group radius
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
!
!
!
!
aaa server radius dynamic-author
client <ISE Server> server-key 7 03270A180500701E1D5D4C
!
aaa session-id common
!
no ip domain-lookup
ip domain-name prasac.com.kh
ip device tracking probe auto-source
ip device tracking probe delay 10
!
interface GigabitEthernet1/0/1
switchport access vlan 115
switchport mode access
switchport voice vlan 125
authentication event server dead action reinitialize vlan 115
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
mab
dot1x pae authenticator
spanning-tree portfast edge
!
ip http server
ip http authentication local
ip http secure-server
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip tacacs source-interface Vlan105
!
ip access-list extended simple
deny udp any any eq domain
deny udp any eq bootps any eq bootpc
deny udp any eq bootpc any eq bootps
deny ip any host <ISE Server>
permit tcp any any eq www
permit tcp any any eq 443
!
radius server ISE
address ipv4 <ISE Server> auth-port 1812 acct-port 1813
key 7 072C705F4D06485744465E
!
dot1x system-auth-control

radius-server vsa send accounting
radius-server vsa send authentication

Network card config attached

Yes, those commands are already applied on the switch, its that if you disable and enable the network adapter, then the dot1x works.
But, when the next day same PC starts up, it will again be needed to disable and enable the network card to have the dot1x working.

Thanks for the comprehensive Windows supplicant screenshots. You are doing EAP-TLS User Authentication. It means that when the PC boots up and gets to the Windows Login screen, there will be no 802.1X sent to the switch. This explains the MAB. If the MAB causes an access-reject from ISE, then the switchport won't be in a good state and the PC might not have an IP address. Once the user logs into Windows, the supplicant will kick in - but by this time it's too late because the Cisco switch already has a session - and there was no Layer1 link down/up to cause the switch to restart the NAC. So, your solution to bounce the port is just that - Link Down/Up to cause the NAC process on the switch port. And then hey ....! User auth from Windows kicks in and the EAP-TLS does its job.

If your machines are domain joined, then change your supplicant to use Machine Authentication. This will ensure that the PC gets the NAC out of the way while PC is booting up. 

There is another mode called User/Machine auth - this does both. But it means that you will get a NAC event during boot up to auth the machine, and then a NAC event when the user logs on. If you don't need to NAC every time the user logs on, the just do machine auth.

I will caution though ... what happens if the laptop goes to sleep after you've logged in and working for a while? Then come back from sleep and log into windows ... network will not work. Because the login event didn't trigger NAC event. 

This is one reason to do both user/machine auth together, as long as you have a machine cert (always the case for domain joined machines) as well as user certs (pushed by Group Policy).

There are further complications if the user switches between wired and wireless, and mixes EAP methods (like EAP-TLS for machine auth and EAP-PEAP for user auth) - in those cases you will need Cisco AnyConnect client software.

OR ... the future ... ISE2.7 and Windows 10 (May 2020 release) using TEAP. The solution to all of the above.