Problems reaching MS Activation server & MS upgrades

jsndgrss · 1 June 2026 19:17

Having a problem first noticed with core 201 & 202. Have the new DNS filter turned completely off (for testing) and no URL filters set up etc. Have ATT Fiber modem in “pasthru” to my IPFire router. Can get to most all websites except MS Activation Server, MS Upgrades. (As an bonus…It also seems like I had problems activating my latest version of TurboTax this spring) I did read a post about a person having a similar problem a year or so ago that they traced down to a “certificate” problem.. If I move the jumper over from my main switch (connected to IPFire router) and direct connet to back of ATT modem then works fine. So it would appear to be something in IPFire router setup.

hjkl · 1 June 2026 19:55

Hello Jim
You might already be aware of the below article, nevertheless I am posting it because it contains some useful info about will Activation process dependencies
Windows activation or validation fails with error code 0x8004FE33 - Microsoft Support

The https://activation.sls.microsoft.com/ expose a cert that is not trusted (at least a W11 25H2 with all patches applied does not trust it!). This means that whole process might fall down - unless the below verification methods (both CRL based) succeed!

Second: http traffic toward the CRL/PKI (there are 2 URI in the document) of that fake-CA might be manipulated by you Proxy - if your machine has WPAD turned on and your IPFire publishes WPAD then please turn that
of. Also, if proxy is in transparent mode, turn that off, or bypass it for the src_ip of the machine that tries to perform activation

Last but not least: transparent proxy does break also OCSP - some years ago I had to bypass the proxy toward OCSP from one major certificate issuer. I still don’t have an explanation why that OCSP traffic fails when transparent proxy is on…

I hope it helps!

late edit:
CERT from activation.sls… say this:
Critical
Is not a Certification Authority
CA Issuers: URI: http://www.microsoft.com/pkiops/certs/MicSecSerCA2011_2011-10-18.crt
CA Issuers: URI: http://crl.microsoft.com/pkiops/certs/MicSecSerCA2011_2011-10-18.crt
CRL:
URI: http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
URI: http://crl.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl

All over HTTP - so I would check proxy first!

jsndgrss · 1 June 2026 21:28

Not running proxy

hjkl · 2 June 2026 07:13

Disable IPv6 in that Windows box and give it another try.