Hi Tim,
what if we use onguard to bounce session (maybe delayed) and give user time to get cert via GPO.
I think that if network profile is set to authenticate user or machine, if user is first time logged (don't have cert), it simpli won't do user autentication, it will only be machine authenticated. It get cert via GPO, onguard bounce sessin and in second atempt user is authenticated with cert it just got.
Will that do the trick, and is this valid design?