0X00003635

ERROR_IPSEC_IKE_RPC_DELETE (0X00003635) Fix Flow

Server & Cloud Intermediate 👁 1 views 📅 May 28, 2026

IPsec policy deleted remotely via RPC. Usually a group policy or management tool trigger. Fix in under 15 minutes.

First: What Actually Triggers This Error

This error code (0X00003635) pops up in Windows Event Log under RAS/Remote Access Service or IPsec IKE sources. It means something — a management tool, a script, or a Group Policy update — sent an RPC command that deleted an IPsec policy. I’ve seen it most often on Windows Server 2019 and 2022 boxes running VPN or DirectAccess. Had a client last month whose entire print queue died because of this — but the real culprit was a forgotten scheduled task that ran a PowerShell script to "clean up" old policies on every boot.

Start with the simplest fix. If it doesn’t work, move to the next. Stop when the error stops showing.

Fix 1 (30 seconds): Check for Active Management Tools Running Right Now

Open Event Viewer (eventvwr.msc) and look under Windows Logs > System. Filter for Event ID 0X00003635. Note the exact time stamp. Then open Task Manager and look for any of these processes:

  • mobsync.exe (Microsoft Sync Center — rarely needed)
  • vpnclient.exe (third-party VPN tools like Cisco AnyConnect)
  • powershell.exe or cmd.exe in the background
  • Any remote management tool like ServerManager.exe or mmc.exe with IPsec snap-in

If you spot one, right-click it and End Task. Then check if the error stops. I had a case where a schtasks.exe running a PowerShell command every minute was deleting policies. Killing the task fixed it immediately.

Fix 2 (5 minutes): Disable Conflicting Group Policy Objects

If killing rogue processes didn’t work, the next suspect is Group Policy. Many admins push IPsec policies through GPO, but a misconfigured or overlapping GPO can cause RPC delete events.

  1. Open Group Policy Management Console (gpmc.msc).
  2. Run rsop.msc (Resultant Set of Policy) to see which policies apply IPsec settings.
  3. Look for GPOs that have IP Security Policies under Computer Configuration > Windows Settings > Security Settings.
  4. If you see one, right-click the GPO and Edit. Navigate to the IPsec policy node and check if it’s set to No Override or Merge. If it’s set to Replace, that’s your problem — it deletes existing policies via RPC every time it applies.
  5. Change it to Merge or simply disable the policy temporarily to test.

After changing, run gpupdate /force from an elevated command prompt. Reboot if you’re in a hurry — I’ve seen it take two refreshes to stop.

Fix 3 (15+ minutes): Audit Scheduled Tasks and PowerShell Scripts

When the error persists, it’s almost always a scheduled task or startup script. Here’s the drill:

  1. Open Task Scheduler (taskschd.msc).
  2. Look under Task Scheduler Library for tasks with triggers like At startup or On a schedule that run PowerShell or netsh commands.
  3. Double-click any suspicious task. Check the Actions tab. If you see something like powershell.exe with arguments containing netsh ipsec or Remove-IpsecPolicy, disable the task immediately.
  4. Also check C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup for any VBS or PowerShell files that modify IPsec.

One real scenario: a client had a startup script that ran netsh ipsec static delete policy name="VPN Policy" — they’d copied it from a forum to "reset" IPsec on boot. But it triggered the RPC delete every time. Removing the script line fixed it.

Fix 4 (if nothing else works): Restore IPsec Policies from Backup

If you have a backup of your IPsec policies (you *do* have one, right?), restore them. If not, you can recreate them manually or use the default policy set. On Windows Server 2019/2022, open Windows Defender Firewall with Advanced Security (wf.msc), go to Properties, and under IPsec Settings, click Customize and reset to defaults. Then run gpupdate /force and reboot.

If you’re still stuck, check third-party VPN clients. I’ve seen Cisco AnyConnect cause this error when it unloads policies during disconnect. Uninstall the client, reboot, and reinstall the latest version.

Quick tip: Use wevtutil qe System /q:"*[System[(EventID=0)]" /c:5 /f:text (replace 0 with error code ID) to dump recent events without clicking through GUI.

When All Else Fails

Disable IPsec policy push from GPO entirely. Set the policy to Not Configured in GPMC, run gpupdate /force, and reboot. This stops the RPC delete from happening. Then manually configure IPsec on each server if needed. Not ideal, but it stops the error dead.

I’ve seen this error on Server 2016, 2019, and 2022 — it’s almost never a hardware issue. It’s always something managing IPsec behind your back. Rule out tools, GPOs, and scripts. You’ll find it.

Was this solution helpful?

ERROR_IPSEC_IKE_RPC_DELETE 0X00003635 IPsec policy deleted RPC call IPsec Windows Server IPsec error VPN IPsec policy removed group policy IPsec IPsec IKE error RPC delete IPsec fix 0X00003635 IPsec troubleshooting Windows Server 2019 IPsec Server 2022 IPsec error IPsec management tool IPsec policy restore