Fix 0xC0000199: Computer Account Trust Failure

What 0xC0000199 Actually Means

You're staring at a blue screen or a login prompt that won't let you in. Error STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (0xC0000199) means Windows thinks your computer account on the domain is dead. Happens when someone resets the computer object in Active Directory, or the machine's secure channel went bad. I had a client last month whose IT guy accidentally deleted its computer account while cleaning stale objects. Panic city.

Good news: you don't need to rejoin the domain from scratch. These fixes work from local admin or recovery options.

Fix 1: The 30-Second Registry Edit

This only works if you can get to the login screen and have local admin credentials. If you can't even get that far, skip to Fix 2.

1. Press Shift + restart from the login screen to boot into Recovery Environment.
2. Go to Troubleshoot > Advanced Options > Command Prompt.
3. Type regedit and hit Enter.
4. In regedit, highlight HKEY_LOCAL_MACHINE then go to File > Load Hive.
5. Navigate to C:\Windows\System32\config\SYSTEM (the file without extension). Give it a name like TempHive.
6. Browse to HKEY_LOCAL_MACHINE\TempHive\ControlSet001\Control\Lsa.
7. Find the DWORD WorkstationID and delete it. If it's not there, create it, set value to 0.
8. Unload the hive: highlight TempHive, File > Unload Hive.
9. Reboot.

This forces Windows to regenerate the machine's secure channel. Works about 60% of the time. The guy I mentioned earlier? This got him back in under a minute.

Fix 2: The 5-Minute PowerShell Remedy

If the regedit trick didn't work, or you can't get to Recovery, you need to reset the computer account from another machine on the same network. You'll need domain admin credentials or delegated permission to reset computer objects.

1. On a working domain-joined PC, open PowerShell as admin.
2. Run:
   

   Reset-ComputerMachinePassword -Server "" -Credential (Get-Credential)

   Replace <your_domain_controller> with an actual DC name (e.g., DC01.contoso.com). Enter domain admin credentials when prompted.
3. Wait about 30 seconds. PowerShell will update the machine password stored locally.
4. On the broken machine, reboot and try logging in again.

If the broken machine can't reach the network (no NIC driver loaded at boot), boot from a Windows PE USB and run the same command after loading the driver. Or use the offline method below.

Fix 3: The 15+ Minute Offline Domain Rejoin

When the two above fail—usually because the computer account was deleted or the secure channel is totally hosed—you have to rejoin the domain manually. But you don't need to reinstall Windows.

1. Boot the broken machine into Safe Mode with Networking (press F8 during boot, select it). You'll need a local admin account that wasn't corrupted.
2. Once logged in, open System Properties (right-click This PC > Properties > Advanced System Settings > Computer Name tab).
3. Click "Change" under "To rename this computer or change its domain".
4. Change the membership to a workgroup (any name, doesn't matter). Click OK, reboot.
5. Boot into normal mode, log in with local admin again. Reopen System Properties, join the domain again. Use domain admin credentials.
6. Reboot one more time. Fixed.

Why this works: leaving the domain clears the old computer trust relationship. Rejoining from scratch creates a brand new secure channel. A client's accounting firm had a server that couldn't boot after a DC rebuild—this saved the day.

When to Skip These and Call a Pro

If you've tried all three and still get the error, you're dealing with something deeper: corrupted SAM database, faulty disk, or a domain-wide issue (time sync problem, DNS misconfiguration). Check dcdiag on your DCs first. Also verify the computer object still exists in ADUC—if it's gone, Fix 3 is your only option.

Had one case where the error was actually caused by a third-party antivirus blocking the secure channel update. Uninstalling it (in Safe Mode) resolved the 0xC0000199. Rare, but possible.