First: thanks to all who have replied. It is really helping me get this figured out.
Second: What about this logic -
When a device is seen on CPPM and it is [Machine Authenticated] by AD as a machine, I am doing a post-auth enforcement where I update the endpoint as known (just to be sure) and I put an attribute where owner = MYCOMPANY.
In my Role evaluation, I have a rule- Endpoint: Owner EQUALS MYCOMPANY --> Role = PXE boot
THEN
In enforcement, I have a rule- Tips: Role EQUALS PXE boot --> allow access
This allows it on the network so it can be re-imaged!!
Seems to be working thus far. Not sure about the efficiency of my configuration though. Thoughts or suggestions?