Office Standard 2019 MAK Activation Failure (0x80072F8F) in Restricted Enterprise Environment

REYHAN ABBY WAHYU IBRAHIM 0 Reputation points
2026-06-12T07:49:13.21+00:00

Hello Microsoft Support Team,

I am troubleshooting a Microsoft Office Standard 2019 MAK activation issue and would like to request technical guidance regarding the required network connectivity for Office activation and license validation.

Environment

Product: Microsoft Office Standard 2019

License: Office19Standard2019VL_MAK_AE

Activation Type: MAK

Operating System: Windows Server 2022 Standard (Build 20348)

Network Environment

The server is located within a government/enterprise environment where internet access is strictly controlled by the Information Security (CISO) team.

Current network conditions:

Internet access is routed through the organization's internal network infrastructure.

Outbound internet access is restricted by security policies.

HTTPS (TCP 443) access is generally allowed only to approved destinations.

HTTP (TCP 80) internet access is restricted and generally not permitted.

Any request to open new internet destinations requires formal approval and supporting documentation from Microsoft.

Because of these restrictions, we need to identify the exact Microsoft URLs/FQDNs, ports, and network dependencies required for Office activation and certificate validation.

Error Details

Office Activation Error:

Error Code: 0x80072F8F

OSPP Status:

Error Code: 0xC004F00F

Description: The Software Licensing Service reported that the hardware ID binding is beyond the level of tolerance.

Troubleshooting Performed

Successful Tests

DNS resolution is working.

Connectivity to Microsoft Activation Service is successful.

Command:

Test-NetConnection activation.sls.microsoft.com -Port 443

Result:

TcpTestSucceeded : True

SSL certificate presented by activation.sls.microsoft.com appears valid.

Certificate Subject:

CN = activation.sls.microsoft.com

Certificate Issuer:

CN = Microsoft Secure Server CA 2011
O = Microsoft Corporation

Failed Tests

Windows Root Certificate Update fails.

Command:

certutil -generateSSTFromWU roots.sst

Result:

0x80072ee2 (ERROR_WINHTTP_TIMEOUT)

Reference URL observed:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/

CRL validation tests fail.

Commands:

Invoke-WebRequest http://crl.microsoft.com

Invoke-WebRequest http://mscrl.microsoft.com

Result:

The underlying connection was closed: An unexpected error occurred on a receive.

Questions

Could Microsoft please clarify the following:

What are the minimum required URLs/FQDNs for:

Office Standard 2019 MAK Activation

  License Verification
  
     License Validation
     
        Certificate Trust Validation
        
           Certificate Trust List (CTL)
           
              Certificate Revocation List (CRL)
              
                 OCSP Validation
                 
                 Could Microsoft provide the official list of URLs/FQDNs that must be reachable from a restricted enterprise environment?
                 
                 Are there any official Microsoft IP ranges that can be whitelisted instead of using FQDN-based rules?
                 
                 Which TCP ports are mandatory for:
                 
                    Office MAK Activation
                    
                       License Verification
                       
                          Certificate Validation
                          
                          Can Office Standard 2019 MAK Activation fail with error 0x80072F8F when:
                          
                             activation.sls.microsoft.com is reachable via HTTPS (TCP 443),
                             
                                but CTL, CRL, or OCSP endpoints are not reachable?
                                
                                In environments where outbound HTTP (TCP 80) is blocked by security policy, can Office activation and certificate validation function entirely over HTTPS (TCP 443), or is HTTP access still required for certain Microsoft PKI services?
                                
                                If HTTP access is required, could Microsoft provide the exact URLs/FQDNs that must be allowed so that we can submit a formal exception request to our Information Security (CISO) team?
                                
                                Are there any official Microsoft documents specifically covering Office 2019 MAK activation requirements in highly restricted enterprise environments where outbound HTTP traffic is prohibited?
                                

Thank you for your assistance and guidance.

Windows for business | Windows Server | User experience | Other
0 comments No comments

3 answers

Sort by: Most helpful
  1. VPHAN 38,270 Reputation points Independent Advisor
    2026-06-20T05:29:20.15+00:00

    Hi REYHAN ABBY WAHYU IBRAHIM,

    Has your issue been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)

    VPHAN

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments No comments

  2. VPHAN 38,270 Reputation points Independent Advisor
    2026-06-12T08:35:49.59+00:00

    Hi REYHAN ABBY WAHYU IBRAHIM,

    A recent hardware change, such as a virtual machine migration, triggered the need for Office MAK reactivation, but the process is failing because your strict network environment blocks outbound HTTP traffic. Microsoft's certificate validation fundamentally requires HTTP on port 80 to prevent a circular dependency loop, meaning the verification process cannot run entirely over HTTPS.

    To resolve this, you must request your security team to whitelist specific FQDNs rather than IPs due to Microsoft's dynamic network infrastructure. You need to allow HTTPS on port 443 for activation.sls.microsoft.com and HTTP on port 80 for crl.microsoft.com, mscrl.microsoft.com, and ctldl.windowsupdate.com. Once approved, use the netsh winhttp set proxy command to ensure your server's system-level background services properly route this traffic through your organization's approved web gateways.

    Hope this answer has brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

    VPHAN

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments No comments

  3. AI answer

    2026-06-12T07:49:45.43+00:00

    For Office 2019 MAK activation and ongoing license validation in a restricted environment, the key requirement is outbound HTTPS access to Microsoft activation and identity endpoints, plus HTTP/HTTPS access to Microsoft PKI (CRL/CTL) endpoints used for certificate trust.

    From the provided context, the closest authoritative list of required endpoints is documented for Microsoft 365 Apps activation, but the same PKI and identity endpoints are used by perpetual Office as well. In a locked-down environment, these are the FQDNs that typically must be reachable:

    1. Core activation and Office service endpoints

    These are required for activation, subscription/license checks, and Office client connectivity:

    • activation.sls.microsoft.com
    • officecdn.microsoft.com
    • officeclient.microsoft.com
    • Office15client.microsoft.com
    • odc.officeapps.live.com
    • ols.officeapps.live.com/olsc
    • cdn.odc.officeapps.live.com
    • go.microsoft.com
    1. Identity and authentication endpoints

    These are required when activation involves Azure AD or Microsoft account sign-in (even for volume products, identity services can be involved in some scenarios):

    • login.windows.net
    • login.microsoft.com
    • login.microsoftonline.com
    • aadcdn.msauth.net
    • aadcdn.msauthimages.net
    • enterpriseregistration.windows.net
    • ajax.aspnetcdn.com
    1. PKI / certificate trust and revocation endpoints (HTTP/HTTPS)

    These are used for certificate chain building, CTL, and CRL checks for Microsoft-issued certificates, including those used by activation and identity services:

    • crl.microsoft.com
    • crl.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crl
    • crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl
    • crl.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA.crl
    • www.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA.crl

    The context explicitly calls out these PKI URLs as required for activation scenarios.

    1. Proxy / firewall considerations
    • If a proxy is used, Windows HTTP clients may need explicit proxy configuration, for example via:
        netsh winhttp set proxy <Address of your proxy server>
      
      as described in the account/subscription activation guidance.
    • Microsoft also supports using a PAC file to allow Microsoft 365/Office endpoints to bypass the proxy. See “Managing Microsoft 365 endpoints” in the context for details.
    1. IP ranges vs FQDNs

    The context points to the official reference for Microsoft 365 URLs and IP ranges:

    • “Microsoft 365 URLs and IP address ranges” (https://technet.microsoft.com/library/hh373144.aspx or the updated microsoft-365/enterprise/urls-and-ip-address-ranges article).

    That document is the authoritative source for IP ranges if IP-based whitelisting is required. It is not reproduced in the context, but it is the official Microsoft guidance referenced for firewall/proxy configuration.

    1. Ports

    From the context, activation and related services rely on:

    • TCP 443 (HTTPS): mandatory for activation endpoints and most identity services.
    • TCP 80 (HTTP): still used for some CRL/PKI endpoints (crl.microsoft.com, mscrl.microsoft.com, CTL downloads, etc.).
    1. Impact of blocking HTTP (TCP 80)

    The context shows that activation guidance for Microsoft 365 explicitly requires access to the CRL/PKI URLs listed above, many of which are HTTP URLs under crl.microsoft.com and www.microsoft.com. In practice, if CRL/CTL endpoints are unreachable, TLS certificate validation and license/activation checks can fail, even when activation.sls.microsoft.com itself is reachable over HTTPS.

    Given that:

    • Yes, activation can fail even if activation.sls.microsoft.com is reachable over HTTPS but the PKI endpoints (CRL/CTL) are blocked.
    • The error 0x80072F8F is a generic security/SSL-related error and is consistent with failures in certificate validation or time/PKI issues.
    1. Whether activation and certificate validation can work over HTTPS only

    The context does not state that all PKI traffic can be forced to HTTPS-only. It explicitly lists HTTP CRL URLs as required endpoints for activation scenarios. Therefore, based on the provided documentation:

    • Outbound HTTP (TCP 80) to the PKI/CRL URLs listed above is required for reliable certificate trust and revocation checking.
    • If HTTP is globally blocked, the CISO team must allow at least the specific PKI URLs listed in the activation guidance.
    1. Official documentation for restricted environments

    The context references the following as the official sources to support firewall/proxy exception requests:

    • “Microsoft 365 URLs and IP address ranges” – authoritative list of endpoints and IP ranges for Microsoft 365/Office services.
    • Activation troubleshooting articles for Microsoft 365 Apps that list the exact FQDNs and PKI URLs required for activation and sign-in.

    These documents are the closest official references for justifying exceptions in highly restricted enterprise environments. The context does not include a separate Office 2019–only MAK activation networking document; instead, it reuses the same endpoint lists used for Microsoft 365 Apps activation.

    Summary of what needs to be allowed (minimum, based on context):

    • TCP 443 to:
      • activation.sls.microsoft.com
      • officecdn.microsoft.com
      • officeclient.microsoft.com
      • Office15client.microsoft.com
      • odc.officeapps.live.com
      • ols.officeapps.live.com/olsc
      • cdn.odc.officeapps.live.com
      • go.microsoft.com
      • login.windows.net
      • login.microsoft.com
      • login.microsoftonline.com
      • aadcdn.msauth.net
      • aadcdn.msauthimages.net
      • enterpriseregistration.windows.net
      • ajax.aspnetcdn.com
    • TCP 80 (and/or 443 where applicable) to PKI/CRL endpoints:
      • crl.microsoft.com
      • crl.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crl
      • crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl
      • crl.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA.crl
      • www.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunicationsPCA.crl

    These lists, plus the “Microsoft 365 URLs and IP address ranges” article, can be used as the basis for the formal exception request to the CISO team.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.