So it's login at pre-boot (although the user is authorised, that says the account is locked) and regular domain login (that error says the account is disabled).
At present, endpoint is unauthenticated as the Admin guide's AD integration guidelines don't work with Server 2016 (raised a separate thread on here for that one).
Domain scanner has all of the users and computers in place. Users are authorised in pre-boot but no login possible.
No logs on the client side which offer any sort of clue as to what might be going on which I find really odd.