> ## Documentation Index
> Fetch the complete documentation index at: https://docs.grunt.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Network and security

> Allow required endpoints and reduce false-positive security blocks

## Firewall and proxy requirements

Allow outbound HTTPS on port `443` to the required Grunt service endpoints:

* `api.grunt.pro`
* `api.altua.no`
* `files.altua.no`
* `app.grunt.pro`

If users are behind a proxy, make sure proxy policy allows Grunt API communication. In affected environments, users may also need to enable **Use default proxy for API communication** in Grunt.

For Microsoft sign-in, SSO, and SharePoint-backed Excel refresh, also allow outbound HTTPS on port `443` to Microsoft services:

* `login.microsoftonline.com`
* `graph.microsoft.com`

SharePoint-backed Excel refresh uses Microsoft Graph from the local PowerPoint add-in. The add-in requests delegated `Files.Read` access so it can read the selected workbook range with the signed-in user's Microsoft permissions.

<Info>
  Grunt uses a local browser redirect during Microsoft authentication. Security software should allow loopback traffic to `http://localhost:12345` for the sign-in flow.
</Info>

## Endpoint allowlisting

Use your organization's standard allowlist process for the domains above.

When troubleshooting blocked license checks, sign-in, templates, SharePoint Excel refresh, or updates, start by testing endpoint reachability from affected devices.

## Endpoint protection considerations

Some endpoint security tools can block Grunt binaries during installation or startup.

For the default per-user install, consider adding Windows Defender exclusions for the main Grunt binaries:

* `%USERPROFILE%\AppData\Local\Programs\Grunt\<version>\PowerPoint\Grunt.PowerPoint.ComAddinNE.dll`
* `%USERPROFILE%\AppData\Local\Programs\Grunt\Updates\bin\Grunt.PowerPoint.Runner.exe`
* `%USERPROFILE%\AppData\Local\Programs\Grunt\Updates\bin\Grunt.PowerPoint.Updater.exe`
* `%USERPROFILE%\AppData\Local\Programs\Grunt\Updates\bin\Grunt.PowerPoint.Restarter.exe`

If needed, add targeted exclusions for approved Grunt install paths and executables according to your internal security process.

<Warning>
  Apply exclusions narrowly and only after internal security review.
</Warning>

## Office add-in trust and certificates

Grunt registers as a COM add-in.

If install or first startup fails because the Grunt certificate is not trusted, import the installer's signer certificate for **Altua As** into **Trusted Publishers** for the affected user or machine.

If Office Group Policy blocks COM add-ins, ensure the Grunt ProgID (`Grunt`) or CLSID (`{AAF65EB4-AFBA-4B65-98AD-381C670B6461}`) is not on the block list.