Jump to content
Welcome to our new Citrix community!
  • 0

Windows 10 upgrade from 1909 to 20H2 causing trust relationship issue on Citrix VDI

Naveen Venkatesan



Recently we have upgraded all our windows 10 persistent VDI from 1909 to 20H2. Post that whenever machine account tries to reset it's password, communication broke with domain controller and gets trust relationship error.


Citrix version : 1912 LTSR CU2

Windows version : Windows 10 (20H2)

Workstation : Persistent(Dedicated)


This is happening only on Citrix VDI and same upgrade we have performed for normal laptop it's working fine. Please suggest.

Edited by Naveen Venkatesan
Includes version
Link to comment

3 answers to this question

Recommended Posts

  • 1

I have got this issue in 2 different scenarios...


1) like mentioned above in the post during the majoy build update VDAs failed to register post OS update. If you try to login with domain cred from console you can see Trust relatioship error


2) wiredly during the VDA upgrade. Post VDA upgrade state of the machine would be in unregister with trust relationship error. I have seen this behaviour from 1912 all CU and while doing 2203 LTSR


-- In both the cases reason for the trust error is not due to any service dependency (Citrix PVS VM Agent service entry)like mentioned above in my case. All i was doing to fix the issue was, to run the command 


Test-ComputerSecureChannel -Repair -Credentials (Get-credentials)


from the Localadmin login with my domain credentials. Some times, I need to run the command couple a times to get the communication established between the computer and the domain(if i am not wrong the event id is 5823. password change successful event). This events can be reviewed in the Windows System event log (Source: NETLOGON)


-- The standard way to fix the issue is to disjoin from domain and rejoin the computer (VM) to domain. 


-- In a rare case, If the dedicated VDAs are MCS provisioned and experiencing this issue with trust relationship,


I did a format of identity disk 

rebooted the VM

AT this stage the Machine account would be in discabled state in AD

Enable machine account from dsa.msc

login with local admin cred

Run the command Test-ComputerSecureChannel -Repair -Credentials (Get-credentials)


to fix this issue


-- Additioanlly if you are using the Install.bat file shipped with Product iso, you can modify the .bat file at the end to include this commad. so that when the upgrade runs this command will fix the issue in case of trust relatioship issue. You can include a condition to run the command whent he output in $false

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...