Home » Microsoft Office Patch Download Failure - Proxy Issues

Microsoft Office Patch Download Failure - Proxy Issues

Microsoft Office patch downloads through ManageEngine Endpoint Central may fail if the required domains, IPs, or ports are blocked by firewall or proxy. This causes download failures, dependency patch errors, or retries.

Cause

  • Office patches and updates are delivered via Microsoft Content Delivery Networks (CDNs).
  • Access is also required to Microsoft’s identity, authentication, and update services.
  • If these endpoints are restricted, ManageEngine cannot fetch content.

Resolution - Required Whitelist

Ports: Allow outbound TCP 443 (HTTPS) and TCP 80 (HTTP).

Best Practice: Whitelist by FQDN (domain names) rather than static IPs (IPs change due to CDN).

ExpressRoute (ER): If your org uses ExpressRoute, endpoints marked with ER can route via ER instead of Internet.

1. Office Common + Online Apps

  • *.officeapps.live.com
  • *.online.office.com
  • office.live.com
  • *.office.com
  • *.office.net

2. Identity & Authentication

  • login.microsoftonline.com
  • login.windows.net
  • login.microsoft.com
  • graph.microsoft.com
  • graph.windows.net
  • account.activedirectory.windowsazure.com
  • *.msidentity.com
  • *.msftidentity.com
  • *.auth.microsoft.com

3. Office CDN (Content Delivery — Critical for Downloads)

  • officecdn.microsoft.com
  • officecdn.microsoft.com.edgesuite.net
  • officecdn.microsoft.com.edgekey.net
  • *.msocdn.com

4. Microsoft Update (Fallback)

  • *.update.microsoft.com
  • download.windowsupdate.com
  • *.windowsupdate.com
  • *.dl.delivery.mp.microsoft.com

5. Sample IP Ranges

Service IPv4 Ranges IPv6 Ranges
Office Apps & Online 13.107.6.171/32,
13.107.18.15/32,
13.107.140.6/32,
52.108.0.0/14,
52.244.37.168/32		 2603:1006:1400::/40,
2603:1016:2400::/40,
2603:1026:2400::/40,
2603:1036:2400::/40,
2603:1046:1400::/40,
2603:1056:1400::/40,
2603:1063:2000::/38,
2620:1ec:c::15/128,
2620:1ec:8fc::6/128,
2620:1ec:a92:171/128,
2a01:111:f100:2000::a83e:3019/128,
2a01:111:f100:2002::8975:2d79/128,
2a01:111:f100:2002::8975:2da8/128,
2a01:111:f100:7000::6fdd:6cd5/128,
2a01:111:f100:a004::bfeb:88cf/128

Always check the latest Microsoft 365 URL/IP list in this page.

 

Manual Troubleshooting Steps

1. Test DNS Resolution

nslookup officecdn.microsoft.com

2. Test Port Connectivity

Test-NetConnection officecdn.microsoft.com -Port 443

3. Retry in ManageEngine

Navigate: Patches → Downloaded Patches → Retry Download.

Retry the failing patch and its dependency (PatchID — 1).

4. Review Logs

Default Office Log Paths

  • System Temp logs (if ODT invoked by service account):
    • C:\Windows\Temp\OfficeSetup[<timestamp>.log]
    • C:\Users\<ServiceAccount>\AppData\Local\Temp\OfficeSetup.log

File naming convention:

<machinename><date><time>.log

Example:PDSERVER01_20250915_145530.log

5. Validate with Office Deployment Tool (Optional Deep Test)

  1. Log in to the server where ManageEngine is installed.
  2. Create a folder named "o365".
  3. Copy the XML configuration given below into a new file.
  4. Save the file as download.xml and place it inside the o365 folder.

download.xml

<Configuration>   <Add OfficeClientEdition="64" Channel="Current">     <Product ID="O365ProPlusRetail">       <Language ID="en-us"/>     </Product>   </Add>   <Display AcceptEULA="TRUE"/> </Configuration>

Run:

setup.exe /download download.xml echo %errorlevel%

0 = Success → CDN reachable
Non-zero = Failure → review logs in %temp%

Next Steps

  • If connectivity fails → escalate to Network/Firewall team to whitelist missing domains.
  • If connectivity succeeds but ManageEngine still fails → verify Proxy Settings in Admin → Proxy Settings.
  • If unresolved → share PatchDownloader.log + %temp% logs with ManageEngine or Microsoft Support.

Trusted by