0X000032D7

Fixing ERROR_IPSEC_DEFAULT_QM_POLICY_NOT_FOUND (0X000032D7)

Windows Errors Intermediate 👁 0 views 📅 May 27, 2026

This error pops up when Windows can't find the default quick mode policy for IPsec. It usually hits after a security policy change or a botched group policy update.

You'll see ERROR_IPSEC_DEFAULT_QM_POLICY_NOT_FOUND (0X000032D7) when an application or service tries to establish an IPsec connection and Windows can't locate the default quick mode (QM) policy. This usually happens after you've manually tinkered with IPsec policies via secpol.msc, applied a domain group policy that got corrupted mid-deployment, or ran a third-party VPN client that overwrites the local IPsec store. The error appears in Event Viewer under System with source IPsec and an event ID that varies by Windows version. I've seen this most often on Windows 10 22H2 and Windows Server 2019 after someone accidentally deleted the default QM policy while cleaning up old rules.

What's actually happening here is that Windows requires a default quick mode policy to define encryption and integrity algorithms for the IPsec negotiation—things like AES-128 or SHA-1. Without it, the IPsec driver refuses to complete the security association (SA). The OS doesn't rebuild this policy automatically. If it's gone, you're stuck.

Root cause

The default quick mode policy lives in the registry under HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\QuickMode. When this key is missing or empty, Windows throws 0X000032D7. The reason step 3 works is that we're rebuilding that exact registry key with the same default values Windows originally shipped with. Group Policy deletions often target this key because admins forget quick mode policies aren't the same as main mode ones.

Fix: Restore the default quick mode policy

  1. Open an elevated Command Prompt

    Press Win + X, select Command Prompt (Admin) or Windows Terminal (Admin). You need admin rights to edit the IPsec store.

  2. Check if the default QM policy exists 
    netsh ipsec static show policy name="Quick Mode"

    If it returns "The system cannot find the file specified" or "Policy not found," that confirms the policy is missing. If you see a policy listed but get the error anyway, skip to step 4.

  3. Create the default quick mode policy from a known-good template

    The fastest way is to import a default policy using a .reg file. Here's the exact registry export from a clean Windows install:

    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\QuickMode\{6E0206F3-4B7A-4B6D-8A5B-6B2B3C6C6D9D}]
"Name"="Quick Mode"
"Description"="Default Quick Mode Policy"
"Version"=dword:00000001
"Flags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\QuickMode\{6E0206F3-4B7A-4B6D-8A5B-6B2B3C6C6D9D}\Negotiation\0]
"Type"=dword:00000001
"QMOfferCount"=dword:00000001
"SoftSATimeout"=dword:0000003c
"PFSGroup"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\QuickMode\{6E0206F3-4B7A-4B6D-8A5B-6B2B3C6C6D9D}\Negotiation\0\Offers\0]
"EncryptionAlgorithm"=dword:00000001
"HashAlgorithm"=dword:00000001
"KeyLifetime"=dword:00000708
"KeyLifetimeBytes"=dword:00000000

    Save that as restore_qm.reg, double-click to merge it. This recreates the default QM policy with AES-128 (EncryptionAlgorithm=1) and SHA-1 (HashAlgorithm=1). Yes, SHA-1 is old, but that's what Windows expects for the default. You can create a stricter policy later.

  4. If the registry key exists but the error persists

    You likely have a corrupted policy—the GUID in the registry doesn't match what Windows expects. Run this command to reset the entire IPsec store:

    netsh ipsec static exportpol "%TEMP%\ipsec_backup.wse"
netsh ipsec static reset
netsh ipsec static importpol "%TEMP%\ipsec_backup.wse"

    The export/import cycle forces Windows to validate every policy GUID and re-register them. Skip this if you don't have a backup—just do the reset directly and recreate your custom policies manually.

  5. Restart the IPsec service 
    net stop PolicyAgent
net start PolicyAgent

    Or use services.msc to restart IPsec Policy Agent. Without this restart, the registry change won't be picked up.

  6. Verify the fix 
    netsh ipsec static show policy name="Quick Mode"

    You should see the policy listed with at least one negotiation offer. If not, reboot the machine—some GPO-related policies only apply at boot time.

What if it still fails?

If the error comes back after a reboot, group policy is probably overwriting your local policy. Check gpresult /h gp.html and look for IPsec-related settings. A common mistake is having a domain GPO that defines a quick mode policy with an empty negotiation set—delete that GPO entry or define a real policy in the GPO. Also check HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\QuickMode for duplicate GUID entries (export the key and count the subkeys). More than one means a merge conflict between local and domain policies. Delete all but the default one, then run gpupdate /force.

One more thing: if you're on Windows 11 23H2 or Server 2022, the registry path changed slightly—it's now under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\IPsec\Policy\Local\QuickMode. Microsoft moved it in a security update. Adjust the .reg file path accordingly.

Was this solution helpful?

ERROR_IPSEC_DEFAULT_QM_POLICY_NOT_FOUND 0X000032D7 IPsec quick mode policy missing Windows IPsec error fix restore default IPsec policy netsh ipsec command group policy IPsec issue Windows 10 IPsec error Windows Server 2019 IPsec fix IPsec policy corruption repair 0x32d7 solution IPsec quick mode policy not found fix Windows firewall IPsec error Microsoft IPsec troubleshooting regedit IPsec restore