Has your issue been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)
VPHAN
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello Microsoft Support Team,
I am troubleshooting a Microsoft Office Standard 2019 MAK activation issue and would like to request technical guidance regarding the required network connectivity for Office activation and license validation.
Product: Microsoft Office Standard 2019
License: Office19Standard2019VL_MAK_AE
Activation Type: MAK
Operating System: Windows Server 2022 Standard (Build 20348)
The server is located within a government/enterprise environment where internet access is strictly controlled by the Information Security (CISO) team.
Current network conditions:
Internet access is routed through the organization's internal network infrastructure.
Outbound internet access is restricted by security policies.
HTTPS (TCP 443) access is generally allowed only to approved destinations.
HTTP (TCP 80) internet access is restricted and generally not permitted.
Any request to open new internet destinations requires formal approval and supporting documentation from Microsoft.
Because of these restrictions, we need to identify the exact Microsoft URLs/FQDNs, ports, and network dependencies required for Office activation and certificate validation.
Office Activation Error:
Error Code: 0x80072F8F
OSPP Status:
Error Code: 0xC004F00F
Description: The Software Licensing Service reported that the hardware ID binding is beyond the level of tolerance.
DNS resolution is working.
Connectivity to Microsoft Activation Service is successful.
Command:
Test-NetConnection activation.sls.microsoft.com -Port 443
Result:
TcpTestSucceeded : True
SSL certificate presented by activation.sls.microsoft.com appears valid.
Certificate Subject:
CN = activation.sls.microsoft.com
Certificate Issuer:
CN = Microsoft Secure Server CA 2011
O = Microsoft Corporation
Windows Root Certificate Update fails.
Command:
certutil -generateSSTFromWU roots.sst
Result:
0x80072ee2 (ERROR_WINHTTP_TIMEOUT)
Reference URL observed:
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/
CRL validation tests fail.
Commands:
Invoke-WebRequest http://crl.microsoft.com
Invoke-WebRequest http://mscrl.microsoft.com
Result:
The underlying connection was closed: An unexpected error occurred on a receive.
Could Microsoft please clarify the following:
What are the minimum required URLs/FQDNs for:
Office Standard 2019 MAK Activation
License Verification
License Validation
Certificate Trust Validation
Certificate Trust List (CTL)
Certificate Revocation List (CRL)
OCSP Validation
Could Microsoft provide the official list of URLs/FQDNs that must be reachable from a restricted enterprise environment?
Are there any official Microsoft IP ranges that can be whitelisted instead of using FQDN-based rules?
Which TCP ports are mandatory for:
Office MAK Activation
License Verification
Certificate Validation
Can Office Standard 2019 MAK Activation fail with error 0x80072F8F when:
activation.sls.microsoft.com is reachable via HTTPS (TCP 443),
but CTL, CRL, or OCSP endpoints are not reachable?
In environments where outbound HTTP (TCP 80) is blocked by security policy, can Office activation and certificate validation function entirely over HTTPS (TCP 443), or is HTTP access still required for certain Microsoft PKI services?
If HTTP access is required, could Microsoft provide the exact URLs/FQDNs that must be allowed so that we can submit a formal exception request to our Information Security (CISO) team?
Are there any official Microsoft documents specifically covering Office 2019 MAK activation requirements in highly restricted enterprise environments where outbound HTTP traffic is prohibited?
Thank you for your assistance and guidance.
Has your issue been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)
VPHAN
Hi REYHAN ABBY WAHYU IBRAHIM,
A recent hardware change, such as a virtual machine migration, triggered the need for Office MAK reactivation, but the process is failing because your strict network environment blocks outbound HTTP traffic. Microsoft's certificate validation fundamentally requires HTTP on port 80 to prevent a circular dependency loop, meaning the verification process cannot run entirely over HTTPS.
To resolve this, you must request your security team to whitelist specific FQDNs rather than IPs due to Microsoft's dynamic network infrastructure. You need to allow HTTPS on port 443 for activation.sls.microsoft.com and HTTP on port 80 for crl.microsoft.com, mscrl.microsoft.com, and ctldl.windowsupdate.com. Once approved, use the netsh winhttp set proxy command to ensure your server's system-level background services properly route this traffic through your organization's approved web gateways.
Hope this answer has brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.
VPHAN
AI answer
For Office 2019 MAK activation and ongoing license validation in a restricted environment, the key requirement is outbound HTTPS access to Microsoft activation and identity endpoints, plus HTTP/HTTPS access to Microsoft PKI (CRL/CTL) endpoints used for certificate trust.
From the provided context, the closest authoritative list of required endpoints is documented for Microsoft 365 Apps activation, but the same PKI and identity endpoints are used by perpetual Office as well. In a locked-down environment, these are the FQDNs that typically must be reachable:
These are required for activation, subscription/license checks, and Office client connectivity:
activation.sls.microsoft.comofficecdn.microsoft.comofficeclient.microsoft.comOffice15client.microsoft.comodc.officeapps.live.comols.officeapps.live.com/olsccdn.odc.officeapps.live.comgo.microsoft.comThese are required when activation involves Azure AD or Microsoft account sign-in (even for volume products, identity services can be involved in some scenarios):
login.windows.netlogin.microsoft.comlogin.microsoftonline.comaadcdn.msauth.netaadcdn.msauthimages.netenterpriseregistration.windows.netajax.aspnetcdn.comThese are used for certificate chain building, CTL, and CRL checks for Microsoft-issued certificates, including those used by activation and identity services:
crl.microsoft.comcrl.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crlcrl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crlcrl.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA.crlwww.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA.crlThe context explicitly calls out these PKI URLs as required for activation scenarios.
netsh winhttp set proxy <Address of your proxy server>
as described in the account/subscription activation guidance.The context points to the official reference for Microsoft 365 URLs and IP ranges:
https://technet.microsoft.com/library/hh373144.aspx or the updated microsoft-365/enterprise/urls-and-ip-address-ranges article).That document is the authoritative source for IP ranges if IP-based whitelisting is required. It is not reproduced in the context, but it is the official Microsoft guidance referenced for firewall/proxy configuration.
From the context, activation and related services rely on:
crl.microsoft.com, mscrl.microsoft.com, CTL downloads, etc.).The context shows that activation guidance for Microsoft 365 explicitly requires access to the CRL/PKI URLs listed above, many of which are HTTP URLs under crl.microsoft.com and www.microsoft.com. In practice, if CRL/CTL endpoints are unreachable, TLS certificate validation and license/activation checks can fail, even when activation.sls.microsoft.com itself is reachable over HTTPS.
Given that:
activation.sls.microsoft.com is reachable over HTTPS but the PKI endpoints (CRL/CTL) are blocked.The context does not state that all PKI traffic can be forced to HTTPS-only. It explicitly lists HTTP CRL URLs as required endpoints for activation scenarios. Therefore, based on the provided documentation:
The context references the following as the official sources to support firewall/proxy exception requests:
These documents are the closest official references for justifying exceptions in highly restricted enterprise environments. The context does not include a separate Office 2019–only MAK activation networking document; instead, it reuses the same endpoint lists used for Microsoft 365 Apps activation.
Summary of what needs to be allowed (minimum, based on context):
activation.sls.microsoft.comofficecdn.microsoft.comofficeclient.microsoft.comOffice15client.microsoft.comodc.officeapps.live.comols.officeapps.live.com/olsccdn.odc.officeapps.live.comgo.microsoft.comlogin.windows.netlogin.microsoft.comlogin.microsoftonline.comaadcdn.msauth.netaadcdn.msauthimages.netenterpriseregistration.windows.netajax.aspnetcdn.comcrl.microsoft.comcrl.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crlcrl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crlcrl.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA.crlwww.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA.crlThese lists, plus the “Microsoft 365 URLs and IP address ranges” article, can be used as the basis for the formal exception request to the CISO team.
References: