Windows 11 Upgrade Bug Disrupts Enterprise Network Connectivity
A persistent issue has emerged during in-place upgrades of Windows 11, particularly affecting transitions from version 23H2 to 25H2. This bug results in the deletion of critical 802.1X wired authentication configurations, leading to complete loss of network connectivity for enterprise workstations until manual intervention is performed.
Understanding the Issue
During the upgrade process, the contents of the `C:\Windows\dot3svc\Policies` folder, which stores 802.1X wired network authentication profiles applied via Group Policy, are inadvertently deleted. The `dot3svc` service, also known as Wired AutoConfig, relies on these policy files to authenticate machines against network switches enforcing IEEE 802.1X port-based access control. Once these files are removed, the upgraded machine loses all wired network connectivity upon booting into the new OS version, effectively isolating it from the corporate network.
Historical Context
This problem is not new. Documented cases on Microsoft’s Q&A forums date back to Windows 10 22H2 to Windows 11 23H2 migrations, with multiple reports confirming 802.1X authentication failures immediately after upgrade completion. System administrators have observed that the same data-loss behavior is now recurring across annual Windows 11 version upgrades, indicating that the issue has persisted through at least three major release transitions without an official fix from Microsoft.
Compounding Factors
In some upgrade scenarios, the problem extends beyond the deletion of dot3svc policy files. In-place upgrades have also been reported to delete the machine’s computer certificate store, further compounding authentication failures for organizations relying on EAP-TLS with PKI certificates.
Available Workarounds
System administrators have documented several interim mitigations while awaiting an official fix:
– Backup and Restore: Before upgrading, copy the `C:\Windows\dot3svc\Policies` folder to external storage and restore it immediately after the new OS boots.
– Post-Upgrade Group Policy Update: Connect the device to a non-802.1X-enforced switch port and run `gpupdate /force /target:computer` to force policy re-application.
– SetupCompleteTemplate.cmd: Inject LAN profile restoration commands into the Windows setup completion script.
– MECM Task Sequence Step: For managed deployments, add a post-upgrade step to re-push 802.1X settings before the device rejoins the secured network.
Microsoft’s Response
As of this writing, Microsoft has not publicly acknowledged this regression as a known issue on its Windows 11 release health dashboard, and no dedicated KB article or hotfix has been issued. Administrators managing large fleets should audit their upgrade workflows and implement dot3svc policy backup steps before deploying Windows 11 24H2 or 25H2 at scale.
Conclusion
The recurrence of this issue across multiple Windows 11 upgrades underscores the need for Microsoft to address the problem promptly. In the meantime, system administrators must remain vigilant and implement the available workarounds to ensure uninterrupted network connectivity during the upgrade process.
