Fix STATUS_FWP_DUPLICATE_KEYMOD (0xC022002B) Fast
Windows blocks a policy because it contains the same keying module twice. Usually caused by duplicate IPsec rules or corrupted Windows Filtering Platform settings.
What This Error Means
The 0xC022002B error is Windows Filtering Platform (WFP) telling you that a policy contains the same keying module twice. In plain English: you've got duplicate IPsec rules, or a corrupted WFP store that thinks you do. This shows up most often when you're trying to apply a VPN policy or set up a Windows Firewall rule on Server 2016/2019 or Windows 10/11.
Don't bother restarting the service or rebooting first — that rarely fixes it. The culprit here is almost always a rule that got duplicated during an import or a script that ran twice. Let's walk through the fixes from quickest to most thorough.
Step 1: The 30-Second Fix — Delete Duplicate IPsec Rules
Open PowerShell as admin and run this command to list all your IPsec rules that use the same keying module:
Get-NetIPsecRule | Where-Object {$_.KeyModule -ne 'None'} | Group-Object KeyModule, Name | Where-Object {$_.Count -gt 1}If you see any groups with a Count greater than 1, you've got duplicates. Pick the one you don't need and delete it:
Remove-NetIPsecRule -Name 'YourDuplicateRuleName' -Confirm:$falseThat's it. Check if the error is gone by trying your action again. If it's still there, move to step 2.
Step 2: The 5-Minute Fix — Reset WFP from Command Line
If deleting obvious duplicates didn't work, something's stuck in the WFP database. Use netsh wfp to reset it. This won't break your firewall rules — it just clears the internal state.
netsh wfp set options netevents = disabled
netsh wfp set options netevents = enabledWait 30 seconds, then try your operation again. If that didn't do it, you might need to force a clean reset of the IPsec driver stack:
sc stop IKEEXT
sc stop PolicyAgent
sc start PolicyAgent
sc start IKEEXTThis restarts the IKE and AuthIP IPsec services. You'll lose active VPN connections briefly, but it's safe on a local machine. Try your action again.
Step 3: The 15+ Minute Fix — Check for Corrupted Policy Objects
Now we get into the weeds. Sometimes a policy object itself is corrupted and shows duplicate entries even though you can't see them in the GUI. Use PowerShell to inspect every IPsec policy on the machine:
$policies = Get-NetIPsecRule -All
foreach ($policy in $policies) {
Write-Host "Name: $($policy.Name) - KeyModule: $($policy.KeyModule)"
}Look for any rule where KeyModule shows a value of 'AuthIP' or 'IKEv1' or 'IKEv2' that appears more than once with the same name. If you find a hidden duplicate, remove it:
Remove-NetIPsecRule -Name 'HiddenDuplicateName' -Confirm:$falseStill no luck? You might have a registry-level corruption. Open regedit and navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Look for any subkey that contains 'Duplicate' or has a weird name. Back up the entire key first — right-click, Export. Then delete the suspicious subkey. Reboot the machine.
When All Else Fails — Export and Rebuild the Firewall Rules
This is the nuclear option. Export all your firewall rules, then reset the WFP store completely.
# Export current rules
netsh advfirewall export "C:\backup\firewall-rules.wfw"
# Reset WFP store
netsh wfp reset
# Reboot
Restart-Computer -ForceAfter reboot, re-import your rules:
netsh advfirewall import "C:\backup\firewall-rules.wfw"This wipes out all WFP state and rebuilds it from scratch. If this doesn't fix 0xC022002B, you're looking at a deeper OS corruption — run SFC /SCANNOW and DISM /Online /Cleanup-Image /RestoreHealth.
Preventing This in the Future
Simple rule: never run IPsec rule import scripts more than once without checking for existing rules. Use Get-NetIPsecRule before importing to see what's already there. Also avoid mixing GUI and PowerShell for IPsec — they handle deduplication differently and can create hidden duplicates.
That should cover 99% of cases. You're welcome.
Was this solution helpful?