I am not taking about managed Windows machines, I am asking about the unmanaged machines that doesn't have a Windows system yet and we are need sccm to push and deploy Windows to them.

I think your first solution may be applicable but it will cause some confusion because now we will have a vulenrabilbe room that if any one know about it can access our network.

for the other solution (Deploy a default authz that only allows access to SCCM.  If 802.1x succeeds: full access.  If 802.1X fails: dACL/pre-auth/named ACL that only allows DHCP, DNS, and access to SCCM.) this is not enough because those machines are gonna join the domain so they will ne access also to the domain controllers and this will be a very dangerous something to leave.

Well you have to make some concessions somewhere because you cannot do 802.1X without a proper supplicant configuration or credentials.  You won't get your supplicant configuration or credentials until you can talk to SCCM and AD.  

Another option would be to do something like InTune or MS Autopilot and join the new machine to a guest network for example and provision over the internet.  Once provisioning has taken place, then connect the machine to your corporate network as normal.

If an unauthorized user can access a locked/secured room then that is a physical security problem, not a NAC problem.

What is wrong with the whitelist MAB idea?  If the whitelist is normally empty any unknown MAC address would be denied.  

the only problem with the MAB idea is the headache, we need to add and remove the MAC on any deployment.