Hello Edgar,
Good question. From the “network engineer” perspective, 802.1X is layer two authentication so how the operating system deals with it is a system engineer issue 
You really need to dive into windows authentication to figure out how this exactly works.
Some items to consider:
-
When you provision a new machine, it has to join the domain so somehow it requires access to the domain. IAS/NPS probably supports a fallback VLAN so when authentication fails (it does because it’s a new machine), you can add it to a “provision” VLAN which allows access to the domain and provision it.
-
Another option is MAB. You could create a script that adds the MAC address automatically when you provision the new machine.
-
When you provision the machine, you can use a GPO to configure your 802.1x settings and enroll certificates.
-
You can enroll user or machine certificates. You could use the machine certificate to authenticate the computer with 802.1X and use the user account only for domain authentication. I believe when you do this, machine authentication works automatically before the user attempts to log in.
-
With SSO, the user credentials are used for 802.1X as well. I’m not sure how it works when you switch a user though…that’s something to test
Rene