Azure AD Mailbag: Frequent questions about using device-based Conditional Access for remote work

I wish I had found this article sooner! Great explanation with just the right amount of detail.  Can you commend on this:

1. You state in the context of federated join, "Windows 10 tries to communicate with Azure AD under the system context and get redirected back to WindowsTransport endpoint of Federation service such as ADFS to authenticate itself.".  In our environment, the web proxy would only allow a device's local system account to access the Internet if a domain user signs in to Windows 10 and authenticates (SSO) by opening a browser to an Internet site.  The local system account will fail to communicate with Azure AD if it tries before the user has authenticated with the proxy.  Your description seems to imply that Azure AD would redirect the local system account back to our AD FS Windows Transport endpoint, but what if the local system account can't communicate with Azure AD on the first try?  Does it wait to retry, or does it immediately somehow get redirected to AD FS?
   
   
2. Once the Windows 10 device is hybrid joined, is there a perpetual requirement for the local system account to have Internet access?  If so, where can I find a comprehensive list of activities performed by the local system account that require Internet access?

Thank you so much in advance for your reply!