Let's take a few steps back:
In 802.1x, there must be a successful authentication (not just association) for that device to be able to send any traffic. In 802.1x the "logon" or pre-auth role in the AAA profile is not used, because no traffic is passed unless authentication takes place.
In machine authentication, a domain computer will attempt to authenticate via wireless 802.1x to the network (1) when it is booting up and (2) at client logout. It will do so with "host/machinename" as the username and its SID or security identifier as the password. When a computer has successfully completed machine authentication, it has an ip address at the ctrl-alt-delete prompt. This ip address can be used to manage the device like any other wired computer, allow users who have not logged in before to login, and allow login scripts to run. To the NPS radius server, machine authentication looks like any other 802.1x authentication, except the group membership for "host/machinename" users is "Domain Computers". If your NPS rule (network policy) is only allowing successful authentication from users in "Domain Users" for example, it will reject all attempted machine authentications and the machine will fail.