Photo by Serpstat from Pexels

Proxies and Firewalls and Installing Microsoft Office Subscription Software

Microsoft Office 365 client software (Word, Excel etc.) has been available as a subscription model for over ten years and using the Click-2-Run technology for all or most of that time, but I still see a lot of people who are unsure how it actually works, assuming its a standard installer they have used for years – its not!

The subscription software comes as a download from or is deployed via the Office Deployment Tool (setup.exe) and an xml configuration file. Both of these tools require run as admin, and they create a new service called “Microsoft Office Click-to-Run Service” (ClickToRunSvc). It is this service, running as Local System account that actually does the installation and the updates.

So, if you have firewalls with URL restrictions or proxies that require authentication (for example, so I have a list of them here for search engines, ZScaler, ForcePoint, Umbrella, Bluecoat, McAfee etc) then you might find that you (the admin) and the users on the machines on your network can browse the internet fine, but the installer service just cannot install because it cannot download.

One option is to use the Office Deployment Tool and download the files to a file share and deploy from the file share – but that needs everyone in the office and that is really not happening at the moment.

So if you find that Office (Microsoft 365 Apps for enterprise|business) will not get past 29% and if you look in the installer log in c:\windows\temp you might find references to “unexpected response” or “file corrupt” or words to that effect. The Local System is being blocked with an error message or an authentication prompt that it does not understand – it is trying to download Office and expecting to get Office!

So how can you see what is going on? You need to connect to the Internet as the Local System account and the following steps will walk through this:

  1. Download PsTools from
  2. Unblock the download (properties of the file, check Unblock)
  3. Unzip the content to a new folder
  4. Open an admin cmd prompt to this folder
  5. Run the following: PsExec.exe -s -i cmd.exe
    1. This opens a cmd prompt running as the local system account – this is an admin level account and this tool can be used maliciously as well, so if your AV has an issue with this (or the exe somewhat fails to run) you need to exempt this application from the AV for a bit.
    2. TIP: Make sure Internet Explorer is closed – we are going to start it as local system and if you have it running already it will get confusing as to which window is which user! And yes, I know its Internet Explorer – but I know the path this is installed to, whereas other browsers on your machine may be local or machine installed and that may not be accessible to Local System.
  6. In the new cmd prompt run the following: “C:\program files\Internet Explorer\iexplore.exe”
    1. This will start IE and it is running as the local system – accept prompts and other stuff that IE does on first run and ignore the prompt about installing new Edge.
    2. Go to and see what happens – does it work? If not, then the error message, if any, might give a clue as to what is wrong.
  7. Do this on a machine that is both in the office and one that is remote – the VPN/Firewall/Proxy settings are likely different based on where the device is.
  8. Close Internet Explorer when you are done
  9. Close the open cmd prompt that is running because of PsExec and you are done and tidied up.

Photo by Serpstat from Pexels



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.