Configuring 802.1x Authentication for Windows Deployment – Tips and Tricks

This is the Tips and Tricks section of my Configuring 802.1x Authentication for Windows Deployment series. Be sure to check out all of the other parts here.

These are just some random things I found while going through this.

File and Registry Locations


C:\Windows\dot3svc\Policies*.TMP (rename TMP to XML to see the Policy and Profile)

Migration Data

Quickly Remove 802.1x Group Policy for Testing

  1. Rename the .TMP file located in C:\Windows\dot3svc\Policies to .OLD.
  2. Restart the Wired Autoconfig (dot3svc) service

That’s it. You should be able to configure a local 802.1x Authentication Policy. Reverse steps to re-apply GPO.

Use the Event Viewer

The Windows Event Viewer has a Wired-AutoConfig log buried in the logs. Take a look at it as you restart dot3svc and you can see the policy or profile get applied and trigger client authentication. It can be found under Applications and Services Logs > Microsoft > Windows > Wired-AutoConfig.

Windows 7 Has a Bug!

While this doesn’t appear to affect all of the items I’ve covered on 802.1x for OSD, I found a Windows 7 hotfix that fixes an issue where our clients will attempt to authenticate with the local 802.1x profile first, then attempt the Group Policy profile (local is user, GPO is computer) and the machines will get locked out. You can see the events in the Wired-AutoConfig event log to verify. The issue appears to go away in Windows 10 1709.
KB2481614 – the description doesn’t fully match what we are seeing, but it certainly fixes the issue.

Random Things

  • If you apply a local profile during OSD, that profile will stay on the computer. If the computer ever loses it’s Group Policy, the LAN interface will revert to the previous profile. If you used a user authentication profile and embedded credentials in it, you run the risk of locking the account if the password has changed.
  • Post-Upgrade, the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc\MigrationData registry key will have a value of dot3svcMigrationDone = 1 if the 802.1x migration has been complete. If the key is missing but the MigrationData folder and registry keys exist, restart dot3svc. The key should appear and the previous GPO or profile will be applied to your LAN interfaces.


  • Reply
    August 9, 2018 at 8:01 am

    “If you apply a local profile during OSD, that profile will stay on the computer.” Will deleting C:\Windows\dot3svc\Policies*.TMP at the end of the Task Sequence permanently remove the local profile? I really can’t have computers reverting to this if they lose Group Policy.

    • Reply
      Adam Gross
      August 9, 2018 at 1:41 pm

      No. That will delete the GPO and revert to the local profile. The trick is to make them match so that you never revert to an unsupported profile apparently. If you delete the local profile, you will get a default profile applied then GPO will override that, unless GPO is removed. There’s no way to NOT have a local profile as far as I can tell.

  • Reply
    Mark Mears
    October 17, 2018 at 10:41 am

    If security concerns about the username and password of the ERSAdmin account are raised, the executable with account and password could be compiled from a script or source file into executable code which would obfuscate the credentials sufficiently to prevent them from being disclosed in the task sequence logs post-imaging. The MAC address could be passed as a parameter to the compiled code and used by the embedded executable to implement the whitelisting.

  • Reply
    Alex Delaney
    June 10, 2019 at 7:11 am

    Would it be possible to add a section on this tips and tricks page for 802.1x and PXE? Not to explain how it’s done, since it’s something that must be configured on the network side, but rather to point people in the right direction of what would need to be done. Low Impact Mode seems to be the way to go from what I see (link for explaination below). That’s really the only thing this article is missing honestly.

    I was able to fully configure everything and added my own auto configuration of the boot image thanks to this article. Instead of having to mount the WIM every time I make or update a boot image, my custom files are added to the WIM automatically using OSDInjection.xml and a filename of “*” with the base as the Custom folder. This article explains everything beautifully. I learned a ton and thanks so much !!!

  • Reply
    Michael D
    August 24, 2020 at 4:20 pm

    Do you have any recommendations on how to simply verify that 802.1x policies have been enforced on a system, preferably via a powershell or vbs script. I suspect I would need to check for a key or GPO, but I haven’t found anything that stands out as “I am obviously configured” without going to the system and looking for that light-blue banner (which is exactly what I’m trying to eliminate).

  • Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.


    Fatal error: Uncaught GuzzleHttp\Exception\ClientException: Client error: `POST` resulted in a `400 Invalid instrumentation key` response: {"itemsReceived":1,"itemsAccepted":0,"errors":[{"index":0,"statusCode":400,"message":"Invalid instrumentation key"}]} in /opt/bitnami/apps/wordpress/htdocs/wp-content/plugins/application-insights/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113 Stack trace: #0 /opt/bitnami/apps/wordpress/htdocs/wp-content/plugins/application-insights/vendor/guzzlehttp/guzzle/src/Middleware.php(66): GuzzleHttp\Exception\RequestException::create(Object(GuzzleHttp\Psr7\Request), Object(GuzzleHttp\Psr7\Response)) #1 /opt/bitnami/apps/wordpress/htdocs/wp-content/plugins/application-insights/vendor/guzzlehttp/promises/src/Promise.php(203): GuzzleHttp\Middleware::GuzzleHttp\{closure}(Object(GuzzleHttp\Psr7\Response)) #2 /opt/bitnami/apps/wordpress/htdocs/wp-content/plugins/application-insights/vendor/guzzlehttp/promises/src/Promise.php(156): Guzzle in /opt/bitnami/apps/wordpress/htdocs/wp-content/plugins/application-insights/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php on line 113