You can prevent this problem for your users by predeploying the trust.
There are multiple ways to do so and Identity Awareness Admin Guide is showing you how.
For a very quick workaround for your 20k users: Deploy the following registry key using you client software management plattform (SCCM or something like that):
Just copy the needed content of this hive key from a client, where the trust button is already pressed.
For the future, just bundle the needed registry keys with the agent installer. You can manipulate the agent installer msi file do include this trust. Just patch it using the IA config tool. See Identity Awareness Admin Guide for details.