We have HP T520 thin clients in our environment running Windows 7 Embedded Standard. The write filter is turned on to prevent changes to the disks. After the DST time change this week, the thin clients do not apply their GPOs because the time on the client is one hour off as it first boots. It's later fixed by the NTP service, but I need the boot-time GPOs to apply every time.

I am able to temporarily remedy the problem by running these commands on the device, but of course it's all lost if the client is rebooted since the disks are not writable:
w32tm /config /update
w32tm /resync
gpupdate /force


Here's what event log shows:

Log Name:      System
Source:        NETLOGON
Date:          11/3/2015 8:58:04 AM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      THIN-0GT3.domain.com
Description:
This computer was not able to set up a secure session with a domain controller in domain DOMAINNAME due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.


Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          11/3/2015 8:58:11 AM
Event ID:      5
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      THIN-0GT3.domain.com
Description:
The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server THIN-0GT3$. This indicates that the ticket used against that server is not yet valid (in relationship to that server time).  Contact your system administrator to make sure the client and server times are in sync, and that the KDC in realm domain.com is in sync with the KDC in the client realm.


Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          11/3/2015 8:58:11 AM
Event ID:      1126
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      THIN-0GT3.domain.com
Description:
Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator’s requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected.

If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem.