We're looking to have a newly deployed machine initialize our VPN upon first startup, allowing a user to log in and auth via AD (at other end of tunnel) and create a new user profile for themselves (which would then download a user cert that they can VPN with moving forward). Would we be able to leverage a machine cert to accomplish this? And how could we make it the most secure?
current thoughts are:
Machine in a specific AD group allowing machine cert login and a process to remove machine from that AD group after first login

Thanks