Fix ERROR_IPSEC_MM_POLICY_IN_USE (0x000032CD) – policy in use
IPsec main mode policy can't be deleted or modified because it's still assigned. The real fix is to unassign it first, then remove or edit it.
Quick answer
Use netsh ipsec static unassign policy to release the policy, then delete or change it.
Why this happens
You see 0x000032CD when you try to delete or modify an IPsec main mode policy that's currently assigned to a local or remote computer. This isn't some rare glitch — it's Windows protecting you from accidentally breaking active security rules. The error usually pops up in Group Policy management tools like Windows Defender Firewall with Advanced Security or when running netsh ipsec static delete policy on a domain controller or a standalone server. I've seen it most often on Windows Server 2016 and 2019 after someone tries to clean up old IPsec policies without checking if they're still applied.
What you'll need
- Administrator access on the machine (or domain admin if it's a domain policy)
- Command Prompt or PowerShell (run as admin)
- The name of the main mode policy (you can get it via
netsh ipsec static show policy)
Step-by-step fix
Step 1 – Identify the policy name
Open Command Prompt as Administrator. Run:
netsh ipsec static show policyYou'll see a list of main mode policies. Look for the one you're trying to delete. If you already know the name, skip this.
Step 2 – Check if it's assigned
Run:
netsh ipsec static show assignedThis shows which main mode policy is currently assigned. If your target policy shows up under "Main Mode", you can't touch it until you unassign it.
Step 3 – Unassign the policy
Run this command (replace PolicyName with your actual policy name):
netsh ipsec static unassign policy name=PolicyNameYou should see "Unassign succeeded". If you get an access denied error, you're not running as admin, or the policy is enforced by domain GPO — you'll need to edit the GPO at the domain level instead.
Step 4 – Delete or modify the policy
Now you can delete it:
netsh ipsec static delete policy name=PolicyNameOr if you only needed to change it, use
set policy instead of delete. After deletion, run netsh ipsec static show policy to confirm it's gone.
Step 5 – Re-assign if needed
If you unassigned by mistake, re-assign it with:
netsh ipsec static set policy name=PolicyName assign=yesBut if you were cleaning up, leave it unassigned.
Alternative fixes
Use Windows Firewall snap-in
If you prefer GUI, open Windows Defender Firewall with Advanced Security (run wf.msc), go to Connection Security Rules. Right-click any rule using that policy and disable or delete it. Then go to IPsec Settings > IPsec Policies in the local group policy editor and remove the policy from the assigned list. But honestly, the command line is faster and less clicky.
Domain GPO case
If the policy comes from a domain Group Policy Object, you can't unassign it locally. You have to edit the GPO from a domain controller. Go to Group Policy Management Console, find the GPO, edit it under Computer Configuration > Windows Settings > Security Settings > IPsec Policies. Unassign or delete the policy there, then run gpupdate /force on the affected machines.
Force delete via registry (last resort)
If netsh refuses because the policy is stubborn, you can delete the IPsec policy registry keys. Back up the key first. Navigate to:
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\(policy GUID)Delete the GUID subkey corresponding to your policy. Then restart the IPsec service (
net stop PolicyAgent && net start PolicyAgent). This is risky — you can break other policies if you delete the wrong one. Only do this if you're sure what you're deleting.
Prevention tip
Always check assigned policies before making changes. Make it a habit: before you delete any IPsec policy, run netsh ipsec static show assigned. If it's assigned, unassign first. This saves you the 0x000032CD headache. Also, document your policies — naming them with a date or purpose helps you avoid confusion later.
If you're still stuck after these steps, check Event Viewer under Windows Logs > System for IPsec-related events around the time of the error. They often give you the policy GUID, which you can cross-check with netsh output.
Was this solution helpful?