Automating dot3svc Service Configuration Using PowerShell

 

Managing Windows services across enterprise devices is a common administrative task, especially when enforcing network security policies. This PowerShell script provides a simple yet effective solution to control the startup behavior of the Wired AutoConfig service (dot3svc) by modifying its registry configuration.

  1. Overview of the Script

The script is designed to:

  • Enable or disable the dot3svc (Wired AutoConfig) service
  • Modify the service startup type via registry
  • Log all actions in a structured format
  • Support both installation (enable) and uninstallation (disable) scenarios

This makes it suitable for deployment through tools like SCCM, Intune, or automation pipelines.

  1. What is dot3svc?

The Wired AutoConfig (dot3svc) service is responsible for IEEE 802.1X authentication on wired Ethernet networks. It is commonly used in enterprise environments where:

  • Network access is controlled via authentication policies
  • Devices must comply with security standards before connecting
  • Certificate-based or credential-based authentication is enforced

Enabling or disabling this service directly impacts network access behavior and compliance.

  1. Logging Mechanism

The script includes a reusable logging function:

PowerShell

function Write-Log

``

Show more lines

  1. Key Features:
  • Logs are stored in:
  • C:\ProgramData\GlobalClient\LogFiles
  • Daily log file creation using date format
  • Captures:
    • Timestamp
    • Log level (INFO, WARNING, ERROR)
    • Message details

This ensures traceability and simplifies troubleshooting.

  1. Registry Configuration

The script works by modifying the following registry path:

HKLM:\SYSTEM\CurrentControlSet\Services\dot3svc

  1. Key Value:
  • Start
  1. Possible Values:
  • 2 → Automatic (service enabled)
  • 3 → Manual (service not automatically started)
  1. Install Function (Enable Service)

The Install function ensures that the dot3svc service is enabled.

  1. Behavior:
  2. Checks if the registry path exists
  3. Reads the current value of Start
  4. If already set to 2 (Automatic):
    • Logs that no action is required
  5. If not set correctly:
    • Logs existing value
    • Updates it to 2
    • Confirms successful change
  6. Outcome:

The service is configured to start automatically, ensuring wired network authentication is active.

  1. Uninstall Function (Disable Service)

The Uninstall function reverses the configuration.

  1. Behavior:
  1. Checks if the registry path exists
  2. If the value is 2 (Automatic):
    • Logs current state
    • Changes it to 3 (Manual)
  3. If already 3:
    • Logs that no change is needed
  1. Outcome:

The service is disabled from automatic startup, reducing dependency on wired authentication.

  1. Error Handling

The script validates whether the registry path exists before making changes:

PowerShell

if (Test-Path $regPath)

Show more lines

If the path is missing:

  • Logs an error message
  • Prevents execution

This adds a safety layer and avoids unintended failures.

  1. Key Design Features
  2. Idempotent Logic

The script checks the current state before making changes, ensuring:

  • No redundant updates
  • Faster execution
  • Safe repeated runs
  1. Clear Logging

Every step is recorded, making auditing and troubleshooting easy.

  1. Simple Deployment

The script can be used in:

  • SCCM applications
  • Intune remediation scripts
  • Group Policy startup scripts
  1. Use Cases

This script is particularly useful in scenarios such as:

  • Enterprise network enforcement → Enable dot3svc for 802.1X compliance
  • Troubleshooting connectivity issues → Temporarily disable service
  • Security baseline configuration → Standardize service behavior
  • Device onboarding/offboarding workflows
  1. Workflow Summary
  1. Initialize logging directory and file
  2. Read current registry value of dot3svc
  3. Run:
    • Install → Enable service (Automatic)
    • Uninstall → Disable service (Manual)
  4. Log all actions and results
  1. Benefits of This Approach
  • Consistency: Ensures uniform configuration across devices
  • Automation: Removes manual registry editing
  • Visibility: Logs provide clear insight into changes
  • Control: Easily toggle service behavior based on policy
  1. Conclusion

This script offers a lightweight and efficient approach to managing the Wired AutoConfig (dot3svc) service in enterprise environments. By combining registry-based configuration with structured logging and idempotent logic, it provides a reliable method for enforcing network policies at scale.

It’s a practical example of how PowerShell can simplify system configuration while maintaining control, transparency, and flexibility across managed devices.

 

Code:

 

function Write-log {

    param (

        [string]$Message,

        [string]$Level = "INFO"

    )

 

    $logDir = "C:\ProgramData\GlobalClient\LogFiles"

    $logFile = Join-Path $logDir "dot3svc_log_$(Get-Date -Format 'yyyyMMdd').log"

 

    if (-not (Test-Path $logDir)) {

        New-Item -Path $logDir -ItemType Directory -Force | Out-Null

    }

 

    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"

    $logEntry = "$timestamp [$Level] $Message"

 

    # Append the log entry to the file

    Add-Content -Path $logFile -Value $logEntry

}

$ddate = Get-Date

$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\dot3svc"

$valueName = "Start"

$newValue = 2

$UnstallnewValue = 3

$GetRegValue = Get-ItemPropertyValue 'HKLM:\SYSTEM\CurrentControlSet\Services\dot3svc' -Name $valueName

function Install{

if (Test-Path $regPath){

 

if ($GetRegValue -eq 2){

Write-Log -Message "Registry value is already set to $newValue."  -Level "Info"

}

else{

Write-Log -Message "Registry path is present." -Level "Info"

Write-Log -Message "Existing Registry Value is $GetRegValue." -Level "Warning"

Write-Log -Message "Changing the value to $newValue." -Level "Info"

Set-ItemProperty -Path $regPath -Name $valueName -Value $newValue

$currentValue = Get-ItemProperty -Path $regPath -Name $valueName

Write-Log -Message "Changed value to $newValue sucessfully." -Level "Info"

Exit 0

}

}

else{

Write-Log -Message "Reistry is not present. Exisitng." -Level "Error"

}

}

 

function Uninstall{

if (Test-Path $regPath){

 

if ($GetRegValue -eq 2){

Write-Log -Message "Registry path is present." -Level "Info"

Write-Log -Message "Existing Registry Value is $GetRegValue." -Level "Warning"

Write-Log -Message "Changing the value to $UnstallnewValue." -Level "Info"

Set-ItemProperty -Path $regPath -Name $valueName -Value $UnstallnewValue

$currentValue = Get-ItemProperty -Path $regPath -Name $valueName

Write-Log -Message "Changed value to $UnstallnewValue sucessfully." -Level "Info"

Exit 0

}

else{

Write-Log -Message "Registry value is already set to $UnstallnewValue."  -Level "Info"

}

}

else{

Write-Log -Message "Reistry is not present. Exisitng." -Level "Error"

}

}

 

 

By

No comments:

Post a Comment

Leave your valuable words here for improve better.

Subscribe to: Post Comments (Atom)