# Microsoft Office Patch Download Failure - Proxy Issues

Microsoft Office patch downloads through ManageEngine Endpoint Central may fail if the **required domains, IPs, or ports** are blocked by **firewall or proxy**. This causes **download failures, dependency patch errors, or retries**.

## Cause

- Office patches and updates are delivered via **Microsoft Content Delivery Networks (CDNs)**.
- Access is also required to Microsoft’s **identity, authentication, and update services**.
- If these endpoints are restricted, ManageEngine cannot fetch content.

## Resolution - Required Whitelist

**Ports:** Allow outbound **TCP 443 (HTTPS)** and **TCP 80 (HTTP)**.

**Best Practice:** Whitelist by **FQDN** (domain names) rather than static IPs (IPs change due to CDN).

**ExpressRoute (ER):** If your org uses ExpressRoute, endpoints marked with ER can route via ER instead of Internet.

### 1. Office Common + Online Apps

- *.officeapps.live.com
- *.online.office.com
- office.live.com
- *.office.com
- *.office.net

### 2. Identity & Authentication

- login.microsoftonline.com
- login.windows.net
- login.microsoft.com
- graph.microsoft.com
- graph.windows.net
- account.activedirectory.windowsazure.com
- *.msidentity.com
- *.msftidentity.com
- *.auth.microsoft.com

### 3. Office CDN (Content Delivery — Critical for Downloads)

- officecdn.microsoft.com
- officecdn.microsoft.com.edgesuite.net
- officecdn.microsoft.com.edgekey.net
- *.msocdn.com

### 4. Microsoft Update (Fallback)

- *.update.microsoft.com
- download.windowsupdate.com
- *.windowsupdate.com
- *.dl.delivery.mp.microsoft.com

### 5. Sample IP Ranges

| Service | IPv4 Ranges | IPv6 Ranges |
|---|---|---|
| Office Apps & Online | 13.107.6.171/32,<br>13.107.18.15/32,<br>13.107.140.6/32,<br>52.108.0.0/14,<br>52.244.37.168/32 | 2603:1006:1400::/40,<br>2603:1016:2400::/40,<br>2603:1026:2400::/40,<br>2603:1036:2400::/40,<br>2603:1046:1400::/40,<br>2603:1056:1400::/40,<br>2603:1063:2000::/38,<br>2620:1ec:c::15/128,<br>2620:1ec:8fc::6/128,<br>2620:1ec:a92:171/128,<br>2a01:111:f100:2000::a83e:3019/128,<br>2a01:111:f100:2002::8975:2d79/128,<br>2a01:111:f100:2002::8975:2da8/128,<br>2a01:111:f100:7000::6fdd:6cd5/128,<br>2a01:111:f100:a004::bfeb:88cf/128 |

Always check the **latest Microsoft 365 URL/IP list** in [this page](https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide).

## Manual Troubleshooting Steps

### 1. Test DNS Resolution

```plaintext
nslookup officecdn.microsoft.com
```

### 2. Test Port Connectivity

```plaintext
Test-NetConnection officecdn.microsoft.com -Port 443
```

### 3. Retry in ManageEngine

Navigate: **Patches → Downloaded Patches → Retry Download**.

Retry the failing patch and its dependency (`PatchID — 1`).

### 4. Review Logs

**Default Office Log Paths**

- System Temp logs (if ODT invoked by service account):
  - `C:\Windows\Temp\OfficeSetup[<timestamp>.log]`
  - `C:\Users\<ServiceAccount>\AppData\Local\Temp\OfficeSetup.log`

**File naming convention:**

```plaintext
<machinename><date><time>.log
```

**Example:** `PDSERVER01_20250915_145530.log`

### 5. Validate with Office Deployment Tool (Optional Deep Test)

1. Log in to the server where ManageEngine is installed.
2. Create a folder named **"o365"**.
3. Copy the XML configuration given below into a new file.
4. Save the file as **download.xml** and place it inside the **o365** folder.

**download.xml**

```plaintext
<Configuration>
  <Add OfficeClientEdition="64" Channel="Current">
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us"/>
    </Product>
  </Add>
  <Display AcceptEULA="TRUE"/>
</Configuration>
```

**Run:**

```plaintext
setup.exe /download download.xml
echo %errorlevel%
```

0 = Success → CDN reachable  
Non-zero = Failure → review logs in `%temp%`

## Next Steps

- If connectivity fails → escalate to Network/Firewall team to whitelist missing domains.
- If connectivity succeeds but ManageEngine still fails → verify Proxy Settings in **Admin → Proxy Settings**.
- If unresolved → share `PatchDownloader.log` + `%temp%` logs with ManageEngine or Microsoft Support.