diff --git a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
index a851b24..b35b65e 100644
--- a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
+++ b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
@@ -325,21 +325,49 @@ function Get-Phase1 {
                         $script:cache.EmTaskExists -and
                         $policiesBaselineReady)
     if ($phase1Essential -and -not $script:cache.InternetAccessDeleted) {
+        # Step 1: deterministic check for the AESFMA machine cert. Walk
+        # every cert in LocalMachine\My and verify its chain ends at the
+        # GE RADIUS TrustedRootCA (thumbprint from AESFMA.xml).
+        # Thumbprint 27F0C9A22B28CE7687B115A29E31BF4B3ABB180F = GE
+        # Aerospace FreeRADIUS root. Cert chained to it = AESFMA-usable.
+        $aesfmaRootThumb = '27F0C9A22B28CE7687B115A29E31BF4B3ABB180F'
+        $hasAesfmaCert = $false
         try {
-            Write-Host "Phase 1 essentials complete - attempting AESFMA join (verify-before-delete)..."
-            $null = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String
-            Start-Sleep -Seconds 8
-            $wlanState = netsh wlan show interfaces 2>$null | Out-String
-            if ($wlanState -match '(?ms)SSID\s*:\s*AESFMA.*?State\s*:\s*connected') {
-                Write-Host "AESFMA connected. Deleting INTERNETACCESS profile..."
-                $delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
-                Write-Host $delOut
-                $script:cache.InternetAccessDeleted = $true
-            } else {
-                Write-Host "AESFMA connect not yet operational - keeping INTERNETACCESS, will retry next tick."
+            foreach ($cert in (Get-ChildItem 'Cert:\LocalMachine\My' -ErrorAction SilentlyContinue)) {
+                $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
+                $chain.ChainPolicy.RevocationMode = 'NoCheck'
+                $null = $chain.Build($cert)
+                foreach ($el in $chain.ChainElements) {
+                    if ($el.Certificate.Thumbprint -eq $aesfmaRootThumb) {
+                        $hasAesfmaCert = $true; break
+                    }
+                }
+                if ($hasAesfmaCert) { break }
+            }
+        } catch {}
+
+        if (-not $hasAesfmaCert) {
+            # SCEP hasn't delivered the GE-rooted machine cert yet.
+            # INTERNETACCESS stays put. Retry next tick.
+        } else {
+            # Step 2: cert is here, AESFMA EAP-TLS should succeed. Try
+            # the connect with INTERNETACCESS still up as fallback.
+            try {
+                Write-Host "AESFMA cert detected (chains to GE RADIUS root) - connecting AESFMA..."
+                $null = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String
+                Start-Sleep -Seconds 8
+                $wlanState = netsh wlan show interfaces 2>$null | Out-String
+                if ($wlanState -match '(?ms)SSID\s*:\s*AESFMA.*?State\s*:\s*connected') {
+                    Write-Host "AESFMA connected. Deleting INTERNETACCESS profile..."
+                    $delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
+                    Write-Host $delOut
+                    $script:cache.InternetAccessDeleted = $true
+                } else {
+                    Write-Host "AESFMA cert present but connect not yet operational - retry next tick."
+                }
+            } catch {
+                Write-Warning "AESFMA connect/swap attempt failed: $_"
             }
-        } catch {
-            Write-Warning "AESFMA verify-before-delete attempt failed: $_"
         }
     }
     # idx=7 push fires AS SOON AS DeviceId is captured. We want the QR