Windows 11 Upgrades Leave 802.1X Wired Policy Missing dot3svc

Background​

What administrators are seeing​

Why that folder matters​

How the regression unfolds (technical profile)​

Typical upgrade flow and failure window​

• An IT team initiates an in-place feature update (for example, 23H2 → 25H2) via Windows Update, WSUS/MECM, or a manual installer.
• The upgrade completes and the machine boots into the updated feature release.
• At first boot the system’s network stack reports an Ethernet connection, but authentication to the switch port fails. The machine shows “no network access” and cannot reach domain controllers.
• Investigation finds C:\Windows\dot3svc\Policies either empty or missing .pol profiles that were previously pushed via Group Policy.
• Running gpupdate /force (while the machine is attached to a network path that does not require 802.1X, or via a remediation VLAN) re-pulls the policy and restores the .pol files; restarting or reinitializing dot3svc applies them. Connectivity returns.

Edge cases: certificate store and private keys​

Scope and operational risk​

Who is affected​

• Enterprises that enforce wired 802.1X at the switchport and rely on Group Policy or MDM (Intune) to deliver machine-authentication profiles.
• Laptops or desktops upgraded in-place (not freshly imaged) where the upgrade path touches dot3svc artifacts.
• Organizations using EAP-TLS (machine certificate) authentication are at higher risk because a certificate or key migration failure compounds the missing-policy problem.

Why this is dangerous at scale​

• The failure creates a classic “bootstrap” problem: an upgraded system cannot contact domain controllers to receive Group Policy, and Group Policy is the mechanism that normally restores the missing profiles.
• Large fleets upgraded en masse without mitigation planning can produce simultaneous offline endpoints that require hands-on remediation — plugging devices into non-802.1X ports or physically visiting desks to reapply policies and/or reinstall certificates.
• If machine certificates are lost or private keys become inaccessible, automated re-enrollment may be needed; this can require administrative interactions or CA-side operations, increasing remediation time and support overhead.

What the public record says (corroboration)​

• Community reports: Numerous threads on r/sysadmin, r/Intune and other forums document the missing C:\Windows\dot3svc\Policies behavior after in-place feature updates, including administrators who solved the problem by copying a saved Policies folder back into place and restarting dot3svc or by running gpupdate /force once the device was on a non-802.1X port.
• Microsoft community answers: Multiple Microsoft Q&A threads show users reporting 802.1X configuration loss after upgrades and receiving community-sourced mitigations (non-802.1X remediation port + gpupdate), but there is not yet a clear, official KB article that describes an intentional change that deletes policy files during upgrades.
• Historical support precedent: Microsoft’s older support guidance for wired 802.1X issues includes restarting the dot3svc service as a workaround for authentication failures in particular update scenarios — an acknowledged mitigation for some 802.1X failure modes, even though it does not address deleted policy files.
• Independent trade coverage: Community and trade outlets have documented similar upgrade regressions in recent Windows servicing cycles and the recurring pattern of 802.1X regressions tied to upgrades. Treat community reporting as high-quality signals but not the same as an official Microsoft patch note.

Confirmed mitigations and recommended workarounds​

Short-term, last-mile fixes (what to run when a machine is offline)​

• Attach the machine to a port that does not require 802.1X (remediation VLAN or guest VLAN).
• Log in with cached credentials (if necessary).
• Run: gpupdate /force /target:computer. Wait for Group Policy to reapply.
• If policies do not reappear, verify the presence of .pol files in C:\Windows\dot3svc\Policies and restart the Wired AutoConfig service:
• sc stop dot3svc
• sc start dot3svc
  This restart can trigger the service to pick up newly-applied policies.

Pre-upgrade controls (strongly recommended)​

• Backup the on-device Policies folder on every target before upgrade:
• mkdir D:\preupgrade\dot3svc\Policies
• xcopy C:\Windows\dot3svc\Policies D:\preupgrade\dot3svc\Policies /E /H
• If using imaging/task-sequence delivery (SCCM/MECM), insert a post-upgrade step to:
• Restore the backed-up Policies folder (if the upgrade removed it).
• Restart dot3svc.
• Run gpupdate /force.
• If you rely on Intune, consider converting the wired profile deployment from legacy GPO-delivered .pols into Intune XML-based wired profiles (or retain a script-based agent that can reapply the XML at OOBE), recognizing Intune deployments require internet reachability to work pre-login.

Deployment sequencing (pilot and phased rollout)​

• Identify a pilot group of devices (representative hardware models and images).
• Run the upgrade with the pre-upgrade backup and the post-upgrade restoration step in place.
• Validate wired authentication, certificate availability, and domain-join health for at least 48–72 hours before expanding to the next ring.
• If any pilot device shows private-key or certificate access problems, capture the machine’s event logs (WLAN-AutoConfig / Wired-AutoConfig and System/App logs) and escalate to your PKI team for re-enrollment options.

Automated remediation examples for MECM / Task Sequence​

• Copies the saved Policies folder back to C:\Windows\dot3svc\Policies.
• Runs: sc stop dot3svc && sc start dot3svc
• Runs: gpupdate /force /target:computer
  Numbered task-sequence steps make this idempotent and safe to rerun. Administrators who embedded this into task sequences report the device re-authenticates during the task sequence and becomes reachable before final user handoff. Community threads provide exemplar scripts and confirmed success in production pilots.

Hardening and preflight checklist for enterprise rollouts​

• Audit your fleet: enumerate machines that rely on wired 802.1X and identify those that use machine certificates (EAP-TLS). Prioritize these for manual staging.
• Pre-enroll a remediation VLAN or physical non-802.1X switch ports in every office and test reachability from a patched machine.
• Ensure backup and restore of C:\Windows\dot3svc\Policies (or convert to Intune-based deployment with pre-boot internet access).
• Test certificate re-enrollment processes with your CA: confirm you can programmatically revoke and reissue machine certificates if private keys fail to migrate.
• Train desk-side support and field technicians to perform the simple three-step recovery: plug into remediation port → gpupdate /force → restart dot3svc (or restore policies) and verify connectivity.

What Microsoft has and hasn’t said (and what that means)​

• Microsoft’s release-health pages and official KBs document many upgrade regressions and include known-issue rollbacks when a broad class of devices is affected. However, at the time of writing there is no single, official Microsoft KB article explicitly describing an intentional or known behavior of “feature upgrade deletes C:\Windows\dot3svc\Policies for all upgraded machines.” Community reports and Microsoft Q&A posts are the primary public evidence for this specific, repeatable upgrade migration failure. Administrators should therefore treat the condition as a serious operational regression observed in the field but not yet documented as a supported Microsoft design change with remediation steps in a KB article.
• Microsoft Q&A threads contain user reports and community replies recommending the remediation steps noted above; in some cases Microsoft community moderators have recommended using gpupdate or re-enrolling certificates. Those responses are practical but not the same as a formal engineering acknowledgement or targeted patch.

Practical playbook for IT teams (step-by-step)​

• Immediately pause any mass automated upgrade waves for endpoints that rely on wired 802.1X and machine-certificate authentication.
• Identify and tag those endpoints in SCCM/Intune so they’re excluded from auto-apply rings until mitigations are added.
• For each tagged endpoint, snapshot or copy C:\Windows\dot3svc\Policies to an external (secured) file share or USB before upgrade.
• Add a post-upgrade task to your task sequence:
• Restore Policies folder if missing.
• sc stop dot3svc
• sc start dot3svc
• gpupdate /force /target:computer
• Validate that the machine authenticates and can reach a domain controller. If the machine certificate is cannot be used, re-enroll the device certificate using your CA’s automated process or a managed script.
• After a successful pilot of at least 48–72 hours, expand the ring. Maintain a runbook for field technicians to perform quick physical remediation.

Why this keeps recurring (analysis)​

• The pattern suggests a migration/mapping bug in the upgrade process that either fails to preserve serialized dot3svc policy files or intentionally replaces them with temporary per-interface profiles that are only valid if the machine can immediately reach a policy source. In either case, the result is identical in practice: no usable local policy to complete 802.1X machine auth at first boot.
• Differences in results between fresh images and long-lived installs point to a timing/registry-migration interaction where legacy registry-to-file mappings or private-key ACLs are not migrated cleanly if the pre-upgrade patch level or imaging baseline is old. That explains why some freshly-imaged devices survive the same upgrade while older, long-lived devices lose certificates or keys. Community evidence and Microsoft Q&A reports back this interpretation; it’s consistent with historical upgrade edge cases around key migration and service dependency changes.

Risks and the path forward​

Immediate operational risk​

• If left unmitigated, enterprises risk pockets of users entirely cut off from domain services, potentially across multiple sites. Recovery is manual and time-consuming when private-key or certificate re-enrollment is required.

Strategic risk​

• This class of regression erodes confidence in “in-place” upgrades for heavily locked-down corporate estates. Organizations that can’t accept the operational risk may need to prefer staged rebuilds or reimages (where policy and certificates are enrolled post-image) until Microsoft provides a definitive fix.

What IT leaders should demand from vendors​

• Clear Microsoft engineering acknowledgement (a KB/release-health entry) describing root cause, impacted upgrade paths, and targeted fixes.
• A Known Issue Rollback or patch that preserves dot3svc policy artifacts across migrations, or a documented and supported migration path that guarantees a working temporary profile on first boot (without needing domain access).
• Tooling guidance for bulk recovery and scripting patterns that Microsoft support endorses.

Caveats and unverifiable claims​

• Some trade and blog posts have suggested that national cyber authorities (for example, CISA) have issued formal advisories about this specific dot3svc deletion behavior. At the time of publication, we could not find a CISA advisory explicitly tied to deletion of C:\Windows\dot3svc\Policies; organizations should not rely on an assumed government advisory in planning. Always validate advisory status against official agency portals. If you see a claim that “CISA has ordered mitigation,” verify via the agency’s published KEV/advisory pages.
• Community-sourced explanations that Microsoft “intentionally removed the policy files by design” are plausible (and have been reported by administrators who opened cases), but they remain contradictory to the reality that the behavior causes outages when Group Policy cannot be pulled. Until Microsoft publishes engineering intent, treat “by design” as an insufficient and operationally unacceptable explanation.

Closing assessment and recommendations​

• Pause large-scale, automated in-place feature upgrades for 802.1X-dependent endpoints until mitigations are embedded in your deployment sequence.
• Implement pre-upgrade backups of C:\Windows\dot3svc\Policies and insert a post-upgrade restoration / gpupdate / dot3svc restart step in your task-sequence.
• Establish remediation VLANs or non-802.1X ports at every site to guarantee a recovery path.
• Test certificate re-enrollment automation with your CA and include those scripts in remediation playbooks if private-key migration fails.
• Push this issue through your Microsoft support channel and request an authoritative engineering response and a supported fix or KB that eliminates manual recovery steps.