Those of you out there with firewalls may have run into issues with the Windows Intune clients having difficulty communicating with the service. The excerpt below provides detailed information on how to set up your firewall for a successful Windows Implementation. Thanks goes to our awesome documentation team for putting this together, and to the Windows Intune client team for doing the research and testing.
If you want to use Windows Intune™ to manage client computers that exist behind firewalls or proxy servers, you must configure the firewall or proxy server to allow Windows Intune to communicate with the client computers.
If the client computers exist behind a firewall, you must configure the firewall to allow communications with the domains through the specified ports that are listed in the following tables.
80 and 443
Depending on the firewall and how it processes DNS lookup requests, you might also need to allow access to the domain manage.microsoft.com.nsatc.net on port 80.
If the client computers exist behind a proxy server, you must configure the proxy server as follows:
You can modify proxy server settings on individual client computers, or you can use Group Policy to change settings for all client computers that exist behind a specified proxy server. Authenticated proxy servers are not supported.
just to clarify:
- settings above are not only for manged clients but also for Admin and Account Console devices?
- for WUS you list *.download.windowsupdate.com, *.windowsupdate.com, and download.windowsupdate.com - only the second entry is actually necessary - correct?
Tia for clarification
Hello Marc -
Thank you for your comment. To answer your questions please see my responses below.
- settings above are not only for managed clients but also for Admin and Account Console devices?
The settings that are listed in the article are for managed clients or PC's that you have enrolled into the Windows Intune service and to allow the enrolled PC's computer account access to the Windows Intune Service. By following the information in the
content of this article it will ensure that your PC's that are enrolled in the service the ability to be managed with Windows Intune.
However, you are correct that for access to the Windows Intune Admin Console (admin.manage.microsoft.com) and the Windows Intune Account Portal (account.manage.microsoft.com)
that ports 80 and 443 should be open.
Access to all the listed URLs are necessary for proper communication with the Windows Intune service and the management of updates for your enrolled devices.
thank you for all this information. I have one additional question though: is it possible to implement Intune for PC in a confined LAN, e.g. lab, utilizing some sort of staging/proxing/forwarding, where all PCs in this LAN are communicating with one server within this LAN and only the latter is routed outside and to the internet?
Thanks in advance for any hint!