Lync Phone Edition will only attempt to retrieve the root certificate from the internal, Active Directory published CA during registration attempts, it was not programmed to perform this same action automatically upon bootup.
So in this case user-intervention is required by attempting to sign-in to the Lync Server.
It is important to understand that although Lync Server 2013 brings a host of new 2013-branded clients (e.g.
The Device Out of Box section shown at the bottom of this page in Tech Net lists the requirements to support this registration-less device process.
A network capture run on the Lync server will show the following traffic indicating that the phone has requested to establish a TLS session with the Lync Server, which then passes its server certificate to the phone in the following message.
Traffic from the phone to the Lync server at this point will stop for a period of time as the connection cannot be established.
Check the System Information menu on the phone to validate this failure by verifying that the Last Update Status code is reported as as covered in this troubleshooting article.
The device will then automatically perform a DNS query for the hostname for each domain name which may have been passed via those DHCP options.