Firewall and proxy requirements
Allow outbound HTTPS on port 443 to the required Grunt service endpoints:
api.grunt.proapi.altua.nofiles.altua.noapp.grunt.pro
If users are behind a proxy, make sure proxy policy allows Grunt API communication. In affected environments, users may also need to enable Use default proxy for API communication in Grunt.
Endpoint allowlisting
Use your organization’s standard allowlist process for the domains above.
When troubleshooting blocked license checks, sign-in, templates, or updates, start by testing endpoint reachability from affected devices.
Endpoint protection considerations
Some endpoint security tools can block Grunt binaries during installation or startup.
For the default per-user install, consider adding Windows Defender exclusions for the main Grunt binaries:
%USERPROFILE%\AppData\Local\Programs\Grunt\<version>\PowerPoint\Grunt.PowerPoint.ComAddinNE.dll%USERPROFILE%\AppData\Local\Programs\Grunt\Updates\bin\Grunt.PowerPoint.Runner.exe%USERPROFILE%\AppData\Local\Programs\Grunt\Updates\bin\Grunt.PowerPoint.Updater.exe%USERPROFILE%\AppData\Local\Programs\Grunt\Updates\bin\Grunt.PowerPoint.Restarter.exe
If needed, add targeted exclusions for approved Grunt install paths and executables according to your internal security process.
Apply exclusions narrowly and only after internal security review.
Office add-in trust and certificates
Grunt registers as a COM add-in and does not use VSTO manifests. The previous VSTO-era fix for HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel is no longer relevant for the current .NET 9 release.
If install or first startup fails because the Grunt certificate is not trusted, import the installer’s signer certificate for Altua As into Trusted Publishers for the affected user or machine.
If Office Group Policy blocks COM add-ins, ensure the Grunt ProgID (Grunt) or CLSID ({AAF65EB4-AFBA-4B65-98AD-381C670B6461}) is not on the block list.