diff --git a/xos/synchronizer/model_policies/model_policy_att_workflow_driver_serviceinstance.py b/xos/synchronizer/model_policies/model_policy_att_workflow_driver_serviceinstance.py
index 37946ed..ef3363b 100644
--- a/xos/synchronizer/model_policies/model_policy_att_workflow_driver_serviceinstance.py
+++ b/xos/synchronizer/model_policies/model_policy_att_workflow_driver_serviceinstance.py
@@ -17,6 +17,9 @@
 from synchronizers.new_base.modelaccessor import RCORDSubscriber, ONUDevice, model_accessor
 from synchronizers.new_base.policy import Policy
 
+class DeferredException(Exception):
+    pass
+
 class AttWorkflowDriverServiceInstancePolicy(Policy):
     model_name = "AttWorkflowDriverServiceInstance"
 
@@ -24,37 +27,24 @@
         self.logger.debug("MODEL_POLICY: handle_create for AttWorkflowDriverServiceInstance %s " % si.id)
         self.handle_update(si)
 
-    def update_and_save_subscriber(self, subscriber, si, update_timestamp=False):
-        if si.authentication_state == "STARTED":
-            subscriber.status = "awaiting-auth"
-        elif si.authentication_state == "REQUESTED":
-            subscriber.status = "awaiting-auth"
-        elif si.authentication_state == "APPROVED":
-            subscriber.status = "enabled"
-        elif si.authentication_state == "DENIED":
-            subscriber.status = "auth-failed"
-
-        subscriber.save(always_update_timestamp=update_timestamp)
-
-    def create_subscriber(self, si):
-        subscriber = RCORDSubscriber()
-        subscriber.onu_device = si.serial_number
-        subscriber.status == "awaiting-auth"
-
-        return subscriber
-
     def handle_update(self, si):
+
+        # TODO if si.onu_state = DISABLED set subscriber.status to need_auth
+        # TODO cleanup
+
         self.logger.debug("MODEL_POLICY: handle_update for AttWorkflowDriverServiceInstance %s, valid=%s " % (si.id, si.valid))
 
         # Check to make sure the object has been synced. This is to cover a race condition where the model_policy
         # runs, is interrupted by the sync step, the sync step completes, and then the model policy ends up saving
         # a policed_timestamp that is later the updated timestamp set by the sync_step.
         if (si.backend_code!=1):
-            raise Exception("MODEL_POLICY: AttWorkflowDriverServiceInstance %s has not been synced yet" % si.id)
+            raise DeferredException("MODEL_POLICY: AttWorkflowDriverServiceInstance %s has not been synced yet" % si.id)
 
+        # waiting for Whitelist validation
         if not hasattr(si, 'valid') or si.valid is "awaiting":
-            self.logger.debug("MODEL_POLICY: skipping handle_update for AttWorkflowDriverServiceInstance %s as not validated yet" % si.id)
-            return
+            raise DeferredException("MODEL_POLICY: deferring handle_update for AttWorkflowDriverServiceInstance %s as not validated yet" % si.id)
+
+        # disabling ONU
         if si.valid == "invalid":
             self.logger.debug("MODEL_POLICY: disabling ONUDevice [%s] for AttWorkflowDriverServiceInstance %s" % (si.serial_number, si.id))
             onu = ONUDevice.objects.get(serial_number=si.serial_number)
@@ -82,24 +72,25 @@
                 # we just want to find out if it exists or not
                 pass
 
+            if subscriber:
+                # if the subscriber is there and authentication is complete, update its state
+                self.logger.debug("MODEL_POLICY: handling subscriber", onu_device=si.serial_number, authentication_state=si.authentication_state, onu_state=si.onu_state)
+                if si.onu_state == "DISABLED":
+                    # NOTE do not mess with onu.admin_state as that triggered this condition
+                    subscriber.status = "awaiting-auth"
+                elif si.authentication_state == "STARTED":
+                    subscriber.status = "awaiting-auth"
+                elif si.authentication_state == "REQUESTED":
+                    subscriber.status = "awaiting-auth"
+                elif si.authentication_state == "APPROVED":
+                    subscriber.status = "enabled"
+                elif si.authentication_state == "DENIED":
+                    subscriber.status = "auth-failed"
+
+                subscriber.save(always_update_timestamp=True)
             # if subscriber does not exist
-            self.logger.debug("MODEL_POLICY: handling subscriber", onu_device=si.serial_number, create_on_discovery=si.owner.leaf_model.create_on_discovery)
-            if not subscriber:
-                # and create_on_discovery is false
-                if not si.owner.leaf_model.create_on_discovery:
-                    # do not create the subscriber, unless it has been approved
-                    if si.authentication_state == "APPROVED":
-                        self.logger.debug("MODEL_POLICY: creating subscriber as authentication_sate=APPROVED")
-                        subscriber = self.create_subscriber(si)
-                        self.update_and_save_subscriber(subscriber, si)
-                else:
-                    self.logger.debug("MODEL_POLICY: creating subscriber")
-                    subscriber = self.create_subscriber(si)
-                    self.update_and_save_subscriber(subscriber, si)
-            # if the subscriber is there and authentication is complete, update its state
-            elif subscriber and si.authentication_state == "APPROVED":
-                self.logger.debug("MODEL_POLICY: updating subscriber status")
-                self.update_and_save_subscriber(subscriber, si, update_timestamp=True)
+            else:
+                self.logger.warn("MODEL_POLICY: subscriber does not exists for this SI, doing nothing")
 
     def handle_delete(self, si):
         pass
diff --git a/xos/synchronizer/model_policies/test_model_policy_att_workflow_driver_serviceinstance.py b/xos/synchronizer/model_policies/test_model_policy_att_workflow_driver_serviceinstance.py
index 4386eb3..774efda 100644
--- a/xos/synchronizer/model_policies/test_model_policy_att_workflow_driver_serviceinstance.py
+++ b/xos/synchronizer/model_policies/test_model_policy_att_workflow_driver_serviceinstance.py
@@ -84,14 +84,17 @@
 
             self.assertIn("has not been synced yet", e.exception.message)
 
-    def test_skip_update(self):
+    def test_defer_update(self):
         self.si.valid = "awaiting"
         self.si.backend_code = 1
 
         with patch.object(RCORDSubscriber, "save") as subscriber_save, \
             patch.object(ONUDevice, "save") as onu_save:
 
-            self.policy.handle_update(self.si)
+            with self.assertRaises(Exception) as e:
+                self.policy.handle_update(self.si)
+
+            self.assertEqual(e.exception.message, "MODEL_POLICY: deferring handle_update for AttWorkflowDriverServiceInstance 98052 as not validated yet")
             subscriber_save.assert_not_called()
             onu_save.assert_not_called()
 
@@ -99,6 +102,7 @@
         self.si.valid = "invalid"
         self.si.serial_number = "BRCM1234"
         self.si.backend_code = 1
+        self.si.onu_state = "ENABLED"
 
         onu = ONUDevice(
             serial_number=self.si.serial_number
@@ -120,6 +124,7 @@
         self.si.serial_number = "BRCM1234"
         self.si.c_tag = None
         self.si.backend_code = 1
+        self.si.onu_state = "ENABLED"
 
         onu = ONUDevice(
             serial_number=self.si.serial_number,
@@ -147,7 +152,7 @@
         self.si.backend_code = 1
         self.si.serial_number = "BRCM1234"
         self.si.authentication_state = "DENIEND"
-        self.si.owner.leaf_model.create_on_discovery = False
+        self.si.onu_state = "ENABLED"
 
         onu = ONUDevice(
             serial_number=self.si.serial_number,
@@ -166,40 +171,37 @@
             onu_save.assert_called()
             self.assertEqual(subscriber_save.call_count, 0)
 
-    def test_create_subscriber(self):
+    def test_subscriber_awaiting_status_onu_state_disabled(self):
         self.si.valid = "valid"
-        self.si.serial_number = "BRCM1234"
         self.si.backend_code = 1
+        self.si.serial_number = "BRCM1234"
+        self.si.onu_state = "DISABLED"
 
         onu = ONUDevice(
             serial_number=self.si.serial_number,
-            admin_state="ENABLED"
+            admin_state="DISABLED"
+        )
+
+        subscriber = RCORDSubscriber(
+            onu_device=self.si.serial_number,
+            status='enabled'
         )
 
         with patch.object(ONUDevice.objects, "get_items") as onu_objects, \
-                patch.object(RCORDSubscriber, "save", autospec=True) as subscriber_save, \
-                patch.object(ONUDevice, "save") as onu_save:
-
+                patch.object(RCORDSubscriber.objects, "get_items") as subscriber_objects, \
+                patch.object(RCORDSubscriber, "save") as subscriber_save:
             onu_objects.return_value = [onu]
+            subscriber_objects.return_value = [subscriber]
 
             self.policy.handle_update(self.si)
-            self.assertEqual(subscriber_save.call_count, 1)
+            self.assertEqual(subscriber.status, "awaiting-auth")
+            subscriber_save.assert_called()
 
-            subscriber = subscriber_save.call_args[0][0]
-            self.assertEqual(subscriber.onu_device, self.si.serial_number)
-
-            onu_save.assert_not_called()
-    
-    def test_create_subscriber_no_create_on_discovery(self):
-        """
-        test_create_subscriber_no_create_on_discovery
-        When si.owner.create_on_discovery = False we still need to create the subscriber after authentication
-        """
-
+    def test_subscriber_enable_status_auth_state_approved(self):
         self.si.valid = "valid"
-        self.si.serial_number = "BRCM1234"
         self.si.backend_code = 1
-        self.si.owner.leaf_model.create_on_discovery = False
+        self.si.serial_number = "BRCM1234"
+        self.si.onu_state = "ENABLED"
         self.si.authentication_state = "APPROVED"
 
         onu = ONUDevice(
@@ -207,19 +209,20 @@
             admin_state="ENABLED"
         )
 
-        with patch.object(ONUDevice.objects, "get_items") as onu_objects, \
-                patch.object(RCORDSubscriber, "save", autospec=True) as subscriber_save, \
-                patch.object(ONUDevice, "save") as onu_save:
+        subscriber = RCORDSubscriber(
+            onu_device=self.si.serial_number,
+            status='awaiting-auth'
+        )
 
+        with patch.object(ONUDevice.objects, "get_items") as onu_objects, \
+                patch.object(RCORDSubscriber.objects, "get_items") as subscriber_objects, \
+                patch.object(RCORDSubscriber, "save") as subscriber_save:
             onu_objects.return_value = [onu]
+            subscriber_objects.return_value = [subscriber]
 
             self.policy.handle_update(self.si)
-            self.assertEqual(subscriber_save.call_count, 1)
-
-            subscriber = subscriber_save.call_args[0][0]
-            self.assertEqual(subscriber.onu_device, self.si.serial_number)
-
-            onu_save.assert_not_called()
+            self.assertEqual(subscriber.status, "enabled")
+            subscriber_save.assert_called()
 
 if __name__ == '__main__':
     unittest.main()