So there is a little cart before the horse here. In order for them to be able to login for the first time, the machine has to be on the network (hardwired or wireless) for that to happen.
If its going to be on wireless, then the machine itself has to connect first, before the user. So you'll want to use machine authentication AND user authentication on your GPO policy for the SSID that is pushed to all the machines during their initial hardwired 'bring to life' moment.
>Assuming the computer has already been added to the Domain by one of our techs.
This is easy. Configure your WAP2-Enterprise RADIUS server to allow both users and computers to attach to the WiFi network. Configure the group policy to perform both computer+user authentication.
When the user starts up the machine it will automatically attach to your network using the computer account. The user can now login on normally. Once they complete logging in the machine re-authenticates as the user.
Can you give an example of what the Group Policy would look like on the DC so I can pass it on to the infrastructure side? Would it look like this - Create a new GPO that is assigned/permissioned to the machines/users on the domain?
I only ask as it has been a while since I have been on infrastructure GP DC side of things 🙂