Machine authentication with certs is used with 802.1x and Microsoft(MS) CA typically. Your MS CA infrastructure is integrated with AD. ISE internal CA will work with BYOD devices and cannot be used for 802.1x machine authentication.
Cert renewal policy conditions typically apply to internal CA. If you have an external CA, ISE does request in cert renewal if it is a SCEP proxy or configured as RA. Again this is applicable only for BYOD flow.
So your best option at this point is not to use machine auth using certs and may be use machine credentials since this is already part of AD I assume. Then re-enroll your machines for certificate once the CA server is corrected.