0X000032CC

0x000032CC: IPsec main mode policy not found — fix it

Windows Errors Intermediate 👁 1 views 📅 May 27, 2026

Windows can't find the IPsec main mode policy when trying to establish a secure connection. This usually happens after a group policy update or manual IPsec rule change.

What's happening here

Error 0x000032CC shows up when Windows tries to apply an IPsec main mode policy — the rules that define how two machines authenticate before exchanging data — but the policy is missing or corrupted. You'll see this in the System event log, in VPN connection attempts, or when a Windows Firewall with Advanced Security rule tries to enforce IPsec and can't find its matching policy.

I've seen this most often on Windows 10 21H2+ and Windows Server 2019/2022 after a group policy update that partially failed, or after someone manually deleted IPsec rules without cleaning up the policy store. The error's not dangerous — your machine still works — but any service depending on that IPsec connection will fail until you fix the policy.

Let's walk through the fixes. Start with the first one. Stop when the error's gone.

Fix 1: Force a group policy refresh (30 seconds)

If the error appeared right after a domain login or a gpupdate, the policy might just be in a half-applied state. Force Windows to re-read and re-apply everything.

  1. Open Command Prompt as Administrator.
  2. Run: gpupdate /force
  3. Wait for it to finish. You'll see "Computer Policy update has completed successfully."
  4. Reboot. This isn't optional — some IPsec policies only activate on boot.

Why this works: gpupdate /force deletes the local policy cache and re-downloads from the domain controller. If the original push was interrupted (network blip, DC timeout), the full re-sync fixes it. If you're not on a domain, skip this fix — it won't help.

Fix 2: Reset the IPsec policy store (5 minutes)

The first fix didn't work? Then the local IPsec policy database — stored in the registry and in %systemroot%\security\local — is probably inconsistent. The cleanest way to fix it without nuking everything is to reset the store using netsh.

  1. Open PowerShell as Administrator.
  2. Export your current rules first (you'll thank me later): netsh ipsec static export-store store=local outputfile="C:\ipsec-backup.ipsec"
  3. Reset the store: netsh ipsec static reset-store store=local
  4. Reboot.

After reboot, check if the error's gone. If your machine needs specific IPsec rules (like for L2TP VPN or direct access), re-import the backup: netsh ipsec static import-store store=local inputfile="C:\ipsec-backup.ipsec" — but only import if the error doesn't return. What's actually happening here is the reset-store command deletes every main mode policy, quick mode policy, and security association in the local store, then rebuilds the database from scratch. The error comes from a policy entry that exists in the rule reference but not in the actual policy table — resetting removes the ghost entry.

Fix 3: Delete and re-create the specific IPsec policy (15+ minutes)

You're here because the error persists after a reset. This means the policy is referenced by a firewall rule, a VPN connection, or a service that's re-creating the bad entry on boot. We need to find the exact policy name and rebuild it manually.

Step 3a: Find the policy name

Check the System event log. Open Event Viewer, navigate to Windows Logs > System, and filter for source "IPsec" or event ID 4290. The error message usually includes the policy name as a GUID or a string. Write it down.

If the event log doesn't help, list all main mode policies: netsh ipsec static show policy name=all. Look for a policy that's listed but has an empty description or a weird status. That's your culprit.

Step 3b: Delete the corrupted policy

Once you have the name: netsh ipsec static delete policy name="YourPolicyName" store=local. If the name is a GUID, wrap it in quotes.

Step 3c: Rebuild it manually (or from backup)

If you know the settings (authentication method, encryption algorithm, DH group), create a new policy:

netsh ipsec static add policy name="YourPolicyName" description="Recreated policy for IPsec"
netsh ipsec static add filteraction name="MyFilterAction" action=negotiate
netsh ipsec static add filter name="MyFilter" srcaddr=any dstaddr=any protocol=any
netsh ipsec static add rule name="MyRule" policy="YourPolicyName" filter="MyFilter" filteraction="MyFilterAction"

But the real fix — the one that works when nothing else does — is to delete the IPsec registry key entirely. Open Regedit, go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec. Export it first, then delete the key. Reboot. Windows will recreate it cleanly on next boot. The reason step 3 works is that the registry key can hold orphaned policy references that netsh reset-store won't touch — especially if a group policy deployment left a half-written entry.

When to give up and re-image

If you've done all three fixes and the error keeps coming back, check if the machine is infected with malware that intentionally corrupts security policies (I've seen this twice in the field). Run a full offline Defender scan. Still broken? The IPsec stack itself might be damaged — that's a Windows repair install or re-image situation. Rare, but it happens.

Prevention

Never manually delete IPsec rules from the GUI without using netsh or the policy snap-in. The GUI hides the main mode policy store, so deleting a quick mode rule can leave a dangling main mode reference that triggers this error later. Always use netsh ipsec static delete policy instead.

Was this solution helpful?

0x000032CC ERROR_IPSEC_MM_POLICY_NOT_FOUND IPsec main mode policy not found Windows IPsec error 0x000032CC fix IPsec policy troubleshooting netsh ipsec group policy IPsec Windows Server IPsec error VPN IPsec error security policy not found 0x32CC error