researching

Is the issue that you are not sure where to go in Policy Sets to add condition?   Or that the list of retrieved groups not displaying when you choose the AD ExternalGroups attribute under the Conditions Studio?

If former, then navigate to Policy Sets > (Policy_Set_To_Be_Configured) and click the right arrow at then end of the selected Policy Set.  This will show the list of Authentication and Authorization Rules.  Click on Authorization Policy line to show the rules. Similar to previous releases, click gear icon at end of a row to insert a rule, or else click the Conditions section to modify existing rule.  Once in Condition Studio, select the specific AD dictionary.  You can also click the group icon (4th in list) which include the AD:ExternalGroup attribute.

At this point, you should see option to select group from list.  However, when I first tried this, the field was empty.  I navigated to the Default Policy set and retried, but this time I was presented the list as shown below.  Returning to new Policy Set, I again saw list.  Not sure if timing issue, browser or defect.  If able to replicate, then we should file bug with TAC.  Here is what it should look like when working:

Getting back to your original goal of matching AD joined computers...If you are not performing 802.1X Machine Auth, then you cannot rely on matching the Domain Computers group in AD since the identity is not the machine, but the user, and the user is not a member of Domain Computers.  Another simple way to achieve this with user auth is to use the AD Probe.  Based on DHCP (or DNS reverse lookup), we fetch the hostname of endpoint and perform lookup to AD to determine if host exists in AD.  You can then create a child profile to the Windows 7, 10 or other relevant profiles to match on this condition and set profile to "Corporate_WIndows7_Workstation".  This works with MAB or 802.1X.

Regards,
Craig