Thanks. I missed that certificate part.

On separate note, just wondering if there any any security concerns with this setup

Its WPA2 Enterprise with machine Authentication, whereas certificate is issued by Domain to machines. I dont see any , or am I overlooking ?

Can you be please bit more specific like what are your security concerns in this scenario i.e. Computers which are domain joined beforehand using WiredLan and then added to specific Group are allowed to be part of Wireless LAN (WPA2 Enterprise) whereas authentication is based on Computer accounts.?

Really interested to hear specific security concerns or what could go wrong.

How can you be sure that someone nefarious won't log into the computer itself using a local account?  It's already on the network, so if a bad actor was able to gain access, they could then start searching for other assets to compromise.

This could be mitigated somewhat by having the hard drive encrypted and a bios password set.  If those aren't done though, gaining access to a local account is fairly trivial for anyone who has physical access, with readily available hacking tools.

We are working towards this solution today for a couple of reasons.

1) When a laptop gets patched and rebooted today it does not reconnect to the network (assuming it was only wifi connected) until a user interactively logs on.  With COVID keeping folks out of many offices for weeks or months on end this has been problematic

2) When an IT person attempts to logon to a laptop via wireless (currently using RADIUS with NPS to AD) that logon fails because there is no network connection until after successful login (exception being cached credentials).  This is a pain for IT and forces them to connect wired before then can even start their work.

3) If you have any sort of logon script or any other processing that should happen at logon this doesn't work properly either (cart before the horse)

To mitigate some of the concerns mentioned above our AD team uses LAPS to automate local admin account password changes every month and each one is stored in a secure server that requires multi factor auth to logon to.

We also encrypt the drives of all mobile device making boot disks and other ways to reset the local accounts very difficult.

Lastly, we are using 2 AD groups one that we can add devices we want to deny (policy 1) and the other those we want to permit (unsure but could ultimately be domain computers with exceptions weeded out in policy 1) in policy 2.

Hope this helps.  Also, good luck with setting this up.  I have found MANY different articles and approaches on this.  Many focus on the user auth side.  The machine auth is more complicated and there isn't a single recipe for success I've found so far anyway.