Tuesday, March 19, 2013

Creating a GPO to automatically add the TrustModelData registry key for Lync 2010 clients

Those who may be familiar with the following KB explaining why having a SIP domain for Lync that is different than the internal domain FQDN would present the user with the following message upon logging into their Lync 2010 client:

"Lync cannot verify that the server is trusted for your sign-in address." message when you sign in to Lync 2010 by authenticating to Lync Online

… would know that adding a registry key to the user’s local workstation or laptop can quickly fix the issue.  I recently ran into this issue again at a client and because it isn’t practical to manually add this key into every desktop, I opted to create a GPO using Group Policy Preferences to add the key.  While creating the GPO isn’t difficult, I thought I’d write this post just so I had something to refer to in the future.

Begin by creating a new GPO applied to an OU containing the user accounts (we’re applying a registry key to the HKEY_CURRENT_Users):


Give the policy a meaningful name:


Navigate to User Configuration –> Preferences –> Windows Settings –> Registry:


Right click on the Registry node and select New –> Registry Item:


Proceed with filling in the fields:


Action:  Create


Key Path:  Software\Microsoft\Communicator

Value Name:  TrustModelData

Value type:  REG_SZ

Value data:,,,, <additionalFQDN>


Once the registry is created, proceed to logging on a workstation, execute a GPUpdate, log off and on then check to ensure that the key is automatically created in HKEY_CURRENT_USER\Software\Microsoft\Communicator:



Anonymous said...


I am trying to add the trustmodeldata key but I have some problems..

My problem is that at the first run of Lync Client on the computer, this HKCU key is overwritten by the default values coming from the installer, and the user sees the certificate warning.

I tried to put the key in HKLM but it either doesn't work or HKCU overrides HKLM (and has the wring list)

I tried to install lync 2010 client with the parameter /reg:regfile.reg but the parameters in the reg file are juste applied like if you merge the reg-file after the installation.

So here I am.. Have you any idea instead of extracting and editing the MSI? (+ recteate all checks and prerequisites in sccm?)

It works fine for people who have already been using Lync, but they checked the box "Always trust this server" so it's useless for them..
Cannot install lync 2013 client even if we have lync 2013 server (political choice)

Anonymous said...

I also have the same problem as above, any solutions?