For Citrix MCS provisioned Hybrid Azure AD joined machine catalogs, the VDA machines might be stuck at “Initializing” status after startup. And when you login to the VDA machines and execute the “dsregcmd /status /debug” command, you will find below error message under “Diagnostic Data”

“Server Message: The user certificate is not found on the device with id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. ”

For Citrix DaaS, a warning icon will appear in the Full Configuration interface if the user certificate is about to expire.

To solve this issue, you need to plan a maintenance window for those affected machine catalogs to avoid any business interruption.

For Citrix DaaS, you can download the latest version of Citrix Remote PowerShell SDK and execute below commands to repair user certificates of the Hybrid Azure AD joined VDA machines.

$ProvSchemeUid = (Get-BrokerCatalog -Name $CatalogName).ProvisioningSchemeId
$IdentityPoolUid = (Get-ProvScheme -ProvisioningSchemeUid $ProvSchemeUid).IdentityPoolUid
Get-AcctADAccount -IdentityPoolUid $IdentityPoolUid | Repair-AcctIdentity -Target UserCertificate -PrivilegedUserName $User -PrivilegedUserPassword $Password
Remove-ProvSchemeMetadata -ProvisioningSchemeUid $ProvSchemeUid -Name UserCertificateExpirationDate 

$CatalogName is the name of the affected machine catalog, $User is the user name that has sufficient privileges to read and write AD computer accounts and $Password is the password of the given $user stored with SecureString.

Note that, the VDA machines might experience a delayed Hybrid Azure AD join process in the next boot. To accelerate this, you can manually reboot those affected VDA machines after repair and tigger a round of Azure AD connect sync cycle by executing below command in your Azure AD connect machine

Start-ADSyncSyncCycle -PolicyType Delta

For CVAD, you can follow below steps to repair user certificates for the VDA machines of the affected machine catalog.

1. Power off the virtual machines in the affected machine catalog.

2. Login to a machine that can be used to execute Citrix cmdlets and execute below command to get a list of computer accounts.

Get-ProvVm -ProvisioningSchemeName $CatalogName | Select-Object -Property ADAccountSid | Export-Csv -NoTypeInformation -Path AffectedAccounts.csv

3. Copy below PowerShell script to a domain joined machine that can access domain controller and save it as “RepairUserCertificate.ps1”.

[cmdletbinding(PositionalBinding = $false, DefaultParameterSetName = "Default")]
param([string]$Path)


$ErrorActionPreference = "Stop"


function WaitForUserCertificate($computerAccount) {
    While ($true) {
        $obj = Get-ADComputer -Identity $computerAccount.ADAccountSid -Properties userCertificate -Credential $credential | Select-Object -Property userCertificate
        if ($obj.userCertificate.count -ne 0) {
            return
        }
        Write-Host "    Waiting for userCertificate attribute of" $computerAccount.ADAccountName
        Start-Sleep 10
    }
}


$credential = Get-Credential -Message "Domain credential that can write computer accounts in AD"


$computerAccountList = Import-Csv -Path $Path
Foreach ($computerAccount in $computerAccountList) {
    Write-Host "Clearing userCertificate for" $computerAccount.ADAccountName "..."
    Set-ADComputer -Identity $computerAccount.ADAccountSid -Clear userCertificate -Credential $credential
}


Write-Host "UserCertificate for all virtual machines are successfully cleared."
Write-Warning "Please start the virtual machines and then continue the next steps."
Read-Host "Virtual machines are up and running?"


# Make sure userCertificate attribute is populated
Foreach ($computerAccount in $computerAccountList) {
    Write-Host "Checking userCertificate for" $computerAccount.ADAccountName "..."
    WaitForUserCertificate $computerAccount
}


Write-Host "UserCertificate for all virtual machines are successfully re-created."
Write-Warning "Please trigger Azure AD Connect delta sync by running 'Start-ADSyncSyncCycle -PolicyType Delta' in Azure AD Connect machine."
Read-Host "Azure AD Connect sync completed?"
Write-Host "Please wait for a while to make sure the virtual machines can be successfully Hybrid Azure AD joined and registered."

4. Copy AffectedAccounts.csv generated in step 2 to the same machine that saves “RepairUserCertificate.ps1”.

5. Execute “RepairUserCertificate.ps1 -Path $PathToAffectedAccountsCsv” and follow the instructions provided by the script.

Problem Cause

The Citrix created user certificate expires after 1 year and is not able to be renewed by itself. Thus, the Hybrid Azure AD join will fail with user certificate not found error.