Windows 11 Upgrades Breaking 802.1X: A Hidden Enterprise Risk

March 4, 2026 Faeem BLOGS, MICROSOFT 0

System administrators are sounding alarms over a persistent bug in Windows 11 in‑place upgrades that wipes critical 802.1X wired authentication configurations, leaving enterprise workstations completely offline until manual intervention is performed.

What’s Happening

  • Affected versions: Windows 11 upgrades from 23H2 → 24H2 and 23H2 → 25H2.
  • Root cause: The upgrade process deletes the contents of C:\Windows\dot3svc\Policies, which stores 802.1X LAN authentication profiles applied via Group Policy.
  • Impact:
    • Machines lose wired network connectivity immediately after reboot.
    • Without connectivity, Group Policy cannot re‑push the missing configuration.
    • In some cases, the computer certificate store is also deleted, breaking EAP‑TLS authentication.

Why It Matters

  • Catch‑22 scenario: Devices cut off from the network cannot self‑heal via Group Policy.
  • Enterprise disruption: Large fleets of workstations risk mass outages during upgrade cycles.
  • Historical issue: Documented since Windows 10 → 11 migrations, now persisting across multiple release transitions.
  • Security impact: Loss of certificates and policies undermines PKI‑based authentication, compounding downtime.

Workarounds Documented by Sysadmins

  • Backup & restore: Copy dot3svc\Policies before upgrade, restore after reboot.
  • Post‑upgrade gpupdate: Connect to a non‑802.1X port, run gpupdate /force /target:computer.
  • SetupCompleteTemplate.cmd: Inject restoration commands into Windows setup completion script.
  • MECM task sequence: Add a post‑upgrade step to re‑push 802.1X settings before rejoining the secured network.

Recommendations

  • Audit upgrade workflows: Ensure dot3svc policy backup steps are integrated.
  • Test before scale: Pilot upgrades in controlled environments to confirm authentication stability.
  • Certificate monitoring: Validate PKI stores post‑upgrade to catch silent deletions.
  • Pressure vendor: Microsoft has not acknowledged this regression; enterprises should escalate through support channels.

Final Thought

This bug highlights a critical lesson: enterprise upgrades are not just feature deployments — they are security events. For leaders, the takeaway is clear: treat OS migrations as high‑risk operations, enforce pre‑upgrade backups, and demand transparency from vendors when regressions persist across multiple release cycles.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.