We recently encountered some machines running Windows Embedded with the Write Filter enabled that were losing their trust relationship with an Active Directory domain due to mismatched passwords associated with computer accounts. [more]

Cause: After 30 days (default), machine account password expires. The password is updated on the machine as well as in AD. At some point, the machine is rebooted. Since the machine is running in Read Only mode (write filter enabled), the password associated with the computer account is reverted back to the password that is stored with the image on the machine. Since that password does not match the one stored in AD (the updated password), the machine can no longer communicate with the DC and the trust is broken.

Resolution: Windows Embedded Standard (from XP forward) has the ability to retain specific registry keys across reboots. It is called the Registry Filter service (Regfilter), and it works like this: determine what you want to retain, and configure it in a specific area of the registry. The service will monitor the specified key for changes, if there are any it'll both keep them in memory and write them in a specific way to c:\regfdata. From then on, any system call to read or write to that key will instead be reading from and writing to the key in memory and in c:\regfdata. When using a prebuilt HP image, keys for the Terminal Services Client Access License (TSCAL) and Domain Secret Key (key that holds the secret password for the issue above) are already added to the regfilter registry key. This process didn’t seem to be working with the current HP image we were using. However, the most current image on HP’s site did work.