We had this question circulate around at work, so I wanted to share.  Window Intune needs access to the internet.  This means that the services need unhindered access to the internet.  While for most of us, once we are connected, we are connected, some firewall / proxy devices require extra information to be entered into a browser and this is something that Windows Intune cannot deal with.

Luckily, Richard at Windows Intunepedia has written about this and quite some time ago.  The key elements are:

Ports 80,443 will be needed for outgoing communications and the firewall / proxy must be as follows:

If the client computers exist behind an authenticating proxy server, you must configure the proxy server as follows:

1. Confirm that the proxy server supports HTTP and HTTPS.

2. Enable either Non-auth or Negotiate (Kerberos) authentication methods on the proxy.

If your proxy server is using the Negotiate (Kerberos) authentication method then you must configure it to allow authentication using computer accounts rather than user accounts. This is because the Windows Intune client agents run using the LocalSystem security context not that of a logged on user. If it is not possible for your proxy to be configured in this manner the agents will not be able to report to that Windows Intune service while they are behind that proxy.

More can be found from Richard at

Thanks

David