Firewall and proxy requirements
Allow outbound HTTPS on port443 to the required Grunt service endpoints:
api.grunt.proapi.altua.nofiles.altua.noapp.grunt.pro
443 to Microsoft services:
login.microsoftonline.comgraph.microsoft.com
Files.Read access so it can read the selected workbook range with the signed-in user’s Microsoft permissions.
Grunt uses a local browser redirect during Microsoft authentication. Security software should allow loopback traffic to
http://localhost:12345 for the sign-in flow.Endpoint allowlisting
Use your organization’s standard allowlist process for the domains above. When troubleshooting blocked license checks, sign-in, templates, SharePoint Excel refresh, or updates, start by testing endpoint reachability from affected devices.Endpoint protection considerations
Some endpoint security tools can block Grunt binaries during installation or startup. For the default per-user install, consider adding Windows Defender exclusions for the main Grunt binaries:%USERPROFILE%\AppData\Local\Programs\Grunt\<version>\PowerPoint\Grunt.PowerPoint.ComAddinNE.dll%USERPROFILE%\AppData\Local\Programs\Grunt\Updates\bin\Grunt.PowerPoint.Runner.exe%USERPROFILE%\AppData\Local\Programs\Grunt\Updates\bin\Grunt.PowerPoint.Updater.exe%USERPROFILE%\AppData\Local\Programs\Grunt\Updates\bin\Grunt.PowerPoint.Restarter.exe
Office add-in trust and certificates
Grunt registers as a COM add-in. If install or first startup fails because the Grunt certificate is not trusted, import the installer’s signer certificate for Altua As into Trusted Publishers for the affected user or machine. If Office Group Policy blocks COM add-ins, ensure the Grunt ProgID (Grunt) or CLSID ({AAF65EB4-AFBA-4B65-98AD-381C670B6461}) is not on the block list.