diff --git a/ansible/roles/host_ocp4_assisted_scale/defaults/main.yml b/ansible/roles/host_ocp4_assisted_scale/defaults/main.yml
index 83b120c..6eb961b 100644
--- a/ansible/roles/host_ocp4_assisted_scale/defaults/main.yml
+++ b/ansible/roles/host_ocp4_assisted_scale/defaults/main.yml
@@ -19,6 +19,6 @@ ai_configure_hosts: []
 # When true, remove worker role from control-plane nodes and mark masters non-schedulable
 worker_only: false
 
-# CSR approval retry settings — must cover install + reboot + kubelet startup
-approve_csr_retries: 180
+# CSR approval retry settings
+approve_csr_retries: 90
 approve_csr_delay: 10
diff --git a/ansible/roles/host_ocp4_assisted_scale/tasks/main.yaml b/ansible/roles/host_ocp4_assisted_scale/tasks/main.yaml
index 0d321c5..d716cfb 100644
--- a/ansible/roles/host_ocp4_assisted_scale/tasks/main.yaml
+++ b/ansible/roles/host_ocp4_assisted_scale/tasks/main.yaml
@@ -175,25 +175,6 @@
     loop_control:
       loop_var: _index
 
-# Approve CSRs BEFORE wait_for_hosts to avoid deadlock.
-# The machine-approver rejects CSRs for assisted-installer workers
-# (no Machine API objects), so we must approve them manually.
-# Workers install OCP, reboot, then generate CSRs — approving them
-# here lets nodes join the cluster so the AI can mark hosts ready.
-- name: Initialize CSR approval iteration counter
-  ansible.builtin.set_fact:
-    approve_csr_iteration: 1
-
-- name: Approve CSR
-  ansible.builtin.include_tasks: approve_csr_nodes.yaml
-
-- name: Wait for the hosts to be ready
-  module_defaults:
-    group/k8s:
-      host: "{{ sandbox_openshift_api_url }}"
-      api_key: "{{ sandbox_openshift_api_key }}"
-      validate_certs: false
-  block:
   - name: Wait for the hosts to be ready
     rhpds.assisted_installer.wait_for_hosts:
       cluster_id: "{{ r_import_cluster.result.id }}"
@@ -203,6 +184,13 @@
       configure_hosts: "{{ ai_configure_hosts }}"
       wait_timeout: 600
 
+- name: Initialize CSR approval iteration counter
+  ansible.builtin.set_fact:
+    approve_csr_iteration: 1
+
+- name: Approve CSR
+  ansible.builtin.include_tasks: approve_csr_nodes.yaml
+
 - name: Configure worker-only mode
   when: worker_only | default(false) | bool
   ansible.builtin.include_tasks: worker_only.yaml