Intune network configuration requirements and bandwidth

This guidance helps Intune admins understand the network requirements for the Intune service. You can use this information to understand bandwidth requirements and IP address and port settings needed for proxy settings.

Average network traffic

This table lists the approximate size and frequency of common content that travels across the network for each client.


To ensure devices receive the updates and content from Intune, they must periodically connect to the Internet. The time required to receive updates or content can vary, but they should remain continuously connected to the Internet for at least one hour each day.

Content type Approximate size Frequency and details
Intune client installation

The following requirements are in addition to the Intune client installation
125 MB One time

The size of the client download varies depending on the operating system of the client computer.
Client enrollment package 15 MB One time

Additional downloads are possible when there are updates for this content type.
Endpoint Protection agent 65 MB One time

Additional downloads are possible when there are updates for this content type.
Operations Manager agent 11 MB One time

Additional downloads are possible when there are updates for this content type.
Policy agent 3 MB One time

Additional downloads are possible when there are updates for this content type.
Remote Assistance via Microsoft Easy Assist agent 6 MB One time

Additional downloads are possible when there are updates for this content type.
Daily client operations 6 MB Daily

The Intune client regularly communicates with the Intune service to check for updates and policies, and to report the client’s status to the service.
Endpoint Protection malware definition updates Varies

Typically 40 KB to 2 MB

Up to three times a day.
Endpoint Protection engine update 5 MB Monthly
Software updates Varies

The size depends on the updates you deploy.

Typically, software updates release on the second Tuesday of each month.

A newly enrolled or deployed computer can use more network bandwidth while downloading the full set of previously released updates.
Service packs Varies

The size varies for each service pack you deploy.

Depends on when you deploy service packs.
Software distribution Varies

The size depends on the software you deploy.

Depends on when you deploy software.

Ways to reduce network bandwidth use

You can use one or more of the following methods to reduce network bandwidth use for Intune clients.

Use a proxy server to cache content requests

A proxy server can cache content to reduce duplicate downloads and reduce network bandwidth from content from the Internet.

A caching proxy server that receives content requests from clients can retrieve that content and cache both web responses and downloads. The server uses cached data to answer subsequent requests from clients.

The following are typical settings to use for a proxy server that caches content for Intune clients.

Setting Recommended value Details
Cache size 5 GB to 30 GB The value varies based on the number of client computers in your network and the configurations you use. To prevent files from being deleted too soon, adjust the size of the cache for your environment.
Individual cache file size 950 MB This setting might not be available in all caching proxy servers.
Object types to cache HTTP


Intune packages are CAB files retrieved by Background Intelligent Transfer Service (BITS) download over HTTP.


If you use a proxy server to cache content requests, communication is only encrypted between the client and the proxy and from the proxy to Intune. The connection from the client to Intune will not be encrypted end-to-end.

For information about using a proxy server to cache content, see the documentation for your proxy server solution.

Use Background Intelligent Transfer Service (BITS) on computers

During hours that you configure, you can use BITS on a Windows computer to reduce the network bandwidth. You can configure BITS policy on the Network bandwidth page of the Intune Agent policy.


For MDM management on Windows, only the OS’s management interface for the MobileMSI app type uses BITS to download. AppX/MsiX use their own non-BITS download stack and Win32 apps via the Intune agent use Delivery Optimization rather than BITS.

To learn more about BITS and Windows computers, see Background Intelligent Transfer Service in the TechNet Library.

Use BranchCache on computers

Intune clients can use BranchCache to reduce wide area network (WAN) traffic. The following operating systems support BranchCache:

  • Windows 7
  • Windows 8.0
  • Windows 8.1
  • Windows 10

To use BranchCache, the client computer must have BranchCache enabled, and then be configured for distributed cache mode.

When the Intune client is installed on computers, BranchCache and distributed cache mode are enabled by default. However, if Group Policy has disabled BranchCache, Intune doesn't override that policy and BranchCache remains disabled.

If you use BranchCache, work with other administrators in your organization to manage Group Policy and Intune Firewall policy. Ensure they don't deploy policy that disables BranchCache or Firewall exceptions. For more about BranchCache, see BranchCache Overview.

Network communication requirements

Enable network communications between the devices you manage and the endpoints required for cloud-based services.

As a cloud-only service, Intune doesn't require on-premises infrastructure such as servers or gateways.

To manage devices behind firewalls and proxy servers, you must enable communication for Intune.

  • The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols
  • For some tasks (like downloading software updates), Intune requires unauthenticated proxy server access to

You can modify proxy server settings on individual client computers. You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.

Managed devices require configurations that let All Users access services through firewalls.

The following tables list the ports and services that the Intune client accesses:

Domains IP address More information Office 365 URLs and IP address ranges

Apple device network information

Used for Hostname (IP address/subnet) Protocol Port
Receiving Push notifications from Intune service via Apple Push Notification Service (APNS). See Apple’s documentation here ( TCP 2195
Sending feedback to Intune service via Apple Push Notification Service (APNS) TCP 2196
Retrieving and displaying content from Apple servers
Communications with APNS servers (
'#' is a random number from 0 to 50.
TCP 5223 and 443
Various functionality including accessing the World Wide Web, iTunes store, macOS app store, iCloud, messaging, etc.
HTTP/HTTPS 80 or 443

For more information, see Apple's TCP and UDP ports used by Apple software products, About macOS, iOS, and iTunes server host connections and iTunes background processes, and If your macOS and iOS clients aren't getting Apple push notifications.