BRC - Restored device cannot join domain (password problem)

Problem: A restored device cannot join the domain due to a password issue.

Cause: Windows requires that machine account passwords be changed every 30 days by default, and the passwords saved on the device and on the domain controller must match for a device to join a domain. If you restore (VM or BMR) a device image from an earlier date than the most recent password changes, the passwords might not match. In this case the restored device will not be allowed to join the domain.

Solution: To resolve this issue, remove the device from the domain and then rejoin. The user will need a privileged domain account to do this. 

To avoid the problem in the future, the user can increase the machine account password age or disable machine account password changes altogether, but these options have security implications and are not recommended.