![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
- Joined
- Aug 3, 2004
- Messages
- 23,944
Not surprising..........
Windows 11 23H2 to 25H2 Upgrade Allegedly Breaking Internet Connectivity
https://cybersecuritynews.com/windows-11-23h2-to-25h2-upgrade/A persistent bug in Windows 11 in-place upgrades is reportedly wiping critical 802.1X wired authentication configurations, leaving enterprise workstations completely offline until manual intervention is performed.
System administrators across Reddit’s r/sysadmin community are raising alarms as the issue originally observed during Windows 10-to-11 migrations has now reappeared across annual Windows 11 version upgrades, including the 23H2-to-24H2 and 23H2-to-25H2 upgrade paths.
What Is Happening
During an in-place Windows 11 upgrade, the contents of the C:\Windows\dot3svc\Policies folder that stores 802.1X wired network (LAN) authentication profiles applied via Group Policy are silently deleted.
The dot3svc service (Wired AutoConfig) relies on these policy files to authenticate machines against network switches enforcing IEEE 802.1X port-based access control.
Once the folder is wiped, the upgraded machine loses all wired network connectivity the moment it boots into the new OS version, effectively cutting it off from the corporate network.
The catch-22 nature of the bug makes it particularly damaging in enterprise environments: without network access, the machine cannot receive a fresh Group Policy push to restore its 802.1X configuration.
Administrators must physically connect the affected device to a non-802.1X-enforced switch port or network segment, manually run gpupdate /force, and then reconnect it to the secured port. Only then does the wired authentication configuration get rewritten to the dot3svc\Policies folder.
The problem is not new. Documented cases on Microsoft Q&A stretch back to Windows 10 22H2 → Windows 11 23H2 migrations, with multiple reports confirming 802.1X authentication failures immediately after upgrade completion.
However, sysadmins confirm that the same data-loss behavior is now repeating across annual Windows 11 version upgrades, meaning the issue has persisted through at least three major release transitions without an official fix from Microsoft.
In some upgrade scenarios, the problem extends beyond dot3svc policy files; in-place upgrades have also been reported to delete the machine’s computer certificate store, further compounding authentication failures for organizations relying on EAP-TLS with PKI certificates.
Available Workarounds
Sysadmins have documented several interim mitigations while awaiting an official fix:
- Backup and restore: Copy C:\Windows\dot3svc\Policies to external storage before upgrading and restoring it immediately after the new OS boots.
- Post-upgrade gpupdate: Connect the device to a non-dot1x port and run gpupdate /force /target:computer to force policy re-application.
- SetupCompleteTemplate.cmd: Inject LAN profile restoration commands into the Windows setup completion script.
- MECM task sequence step: For managed deployments, add a post-upgrade step to re-push 802.1X settings before the device rejoins the secured network.
Microsoft has not publicly acknowledged this regression as a known issue on its Windows 11 release health dashboard, and no dedicated KB article or hotfix has been issued as of this writing.
Administrators managing large fleets should audit their upgrade workflows and implement dot3svc policy backup steps before deploying Windows 11 24H2 or 25H2 at scale.
![Zarathustra[H]](/data/avatars/m/9/9298.jpg?1723407683){kind=avatar}
