Microsoft has confirmed that the Intune Suite — a set of advanced endpoint management capabilities that has until now required a separate add-on licence — is being folded into Microsoft 365 E3 and E5 from 1 July 2026. For organisations that have been holding off on deploying Endpoint Privilege Management, Enterprise Application Management, or Microsoft Cloud PKI because of licensing cost, that blocker is about to disappear. This is one of the most significant Intune licensing changes in years, and it changes the planning calculus for every endpoint team running on M365 E3 or E5.
This post covers what is included at each licence tier, what the price changes look like, what each new capability actually does, and what you need to check in your tenant this week.
What is included — by licence tier
Not all Intune Suite capabilities land in E3. Microsoft has split the features across the two tiers. Here is the breakdown:
| Capability | M365 E3 | M365 E5 |
|---|---|---|
| Advanced Analytics (device query, anomaly detection, battery health) | ✓ | ✓ |
| Microsoft Tunnel for MAM | ✓ | ✓ |
| Remote Help | ✓ | ✓ |
| Endpoint Privilege Management (EPM) | — | ✓ |
| Enterprise Application Management (EAM) | — | ✓ |
| Microsoft Cloud PKI | — | ✓ |
Note: E3 gets the three foundational capabilities. E5 gets everything in E3 plus the three most operationally significant tools — EPM, EAM, and Cloud PKI. If your organisation is on E3 and considering an upgrade, these additions change the value calculation considerably.
Price changes
The inclusion of Intune Suite capabilities comes with a licence price adjustment. The changes take effect on the same date — 1 July 2026 for new customers:
| Licence | Current price | New price (from 1 Jul 2026) | Increase |
|---|---|---|---|
| Microsoft 365 E3 | $36 / user / month | $38 / user / month | +$2 |
| Microsoft 365 E5 | $57 / user / month | $60 / user / month | +$3 |
For context: the Intune Suite add-on has been priced at $10 per user per month when purchased separately. If you are currently paying that on top of E3, the new combined E3 price is meaningfully cheaper for E3 customers who had the add-on — though the E3 bundle does not include EPM, EAM, or Cloud PKI. For E5 customers with the Intune Suite add-on, the new E5 price covers everything in the add-on and the price differential narrows substantially.
What each capability does
Endpoint Privilege Management (EPM) — E5 only
EPM solves one of the most persistent endpoint management problems: users who need to run specific applications with elevated rights, but where making them a local administrator creates an unacceptable security risk. With EPM, you define rules in Intune that allow standard users to run particular executables with elevated rights — without granting them persistent local admin. The elevation is logged, auditable, and policy-controlled.
This directly addresses the “I just need admin to install this one thing” support burden, and removes the operational justification for keeping users in the local Administrators group on managed devices.
Enterprise Application Management (EAM) — E5 only
EAM gives you a Microsoft-curated catalogue of Win32 applications that you can discover, deploy, and patch directly from the Intune admin centre — without creating and maintaining your own Intune Win32 app packages. Microsoft handles the packaging. Updates are published to the catalogue and you choose when to deploy them to your rings.
For organisations managing a large Win32 app estate, this removes a significant packaging overhead. The practical limitation to understand is that the catalogue covers mainstream commercial applications; bespoke or internal line-of-business apps still require traditional Win32 packaging.
Microsoft Cloud PKI — E5 only
Cloud PKI is a cloud-hosted certificate authority, managed entirely within the Intune admin centre. You can issue device and user certificates for Wi-Fi, VPN, and other certificate-based authentication scenarios without deploying and maintaining an on-premises Active Directory Certificate Services (ADCS) infrastructure or a third-party CA.
For organisations that have been avoiding certificate-based authentication because of ADCS complexity, or for those in the process of eliminating on-premises infrastructure dependencies, Cloud PKI is a direct enabler. It integrates with SCEP and PKCS certificate profiles in Intune.
Advanced Analytics — E3 and E5
Advanced Analytics extends the Intune reports and data capabilities with three specific additions:
- Device query — run on-demand queries against individual device properties using Kusto Query Language (KQL), surfaced in the Intune admin centre
- Anomaly detection — machine learning-based detection of unusual device behaviour patterns, surfaced as anomaly reports in the admin centre
- Battery health reporting — fleet-wide battery capacity data for Windows devices, enabling proactive hardware lifecycle decisions before end-user impact
Tip: Device query is particularly useful for rapid incident response — you can query a device for specific registry keys, installed software versions, or running processes directly from the Intune console without needing to push a detection script or wait for a compliance check cycle.
Remote Help — E3 and E5
Remote Help is a cloud-delivered remote assistance tool built into Intune. It allows helpdesk engineers to connect to a managed Windows device with the user's consent and provide screen-sharing or full remote control assistance — without requiring a third-party remote assistance tool or a VPN. Connections are brokered through Microsoft's cloud infrastructure and logged in the Intune admin centre.
For organisations that have been running a separate RMM tool primarily for remote assistance, this is worth evaluating as a consolidation opportunity — particularly for Intune-managed devices where the agent is already present.
Microsoft Tunnel for MAM — E3 and E5
Microsoft Tunnel for MAM extends the existing Microsoft Tunnel VPN gateway to cover unenrolled devices using Mobile Application Management (MAM) only policies. This means employees using personal iOS and Android devices — where full MDM enrolment is not appropriate — can access on-premises or private cloud resources through managed apps such as Microsoft Edge and the Microsoft 365 apps, without requiring device enrolment.
This is the key scenario: BYOD users accessing internal web apps or SharePoint on-premises, where the organisation wants network-level access control without mandating full device enrolment.
Do you need to do anything?
Short answer: no immediate action is required for provisioning. Microsoft will auto-provision the capabilities to eligible tenants. New customers on qualifying licences from 1 July 2026 will have access automatically. Existing eligible tenants will be provisioned by 1 August 2026. Admins will receive 30-day advance notice in the Microsoft 365 admin centre — no manual opt-in or licence reassignment is required.
That said, “no action needed for provisioning” is not the same as “nothing to do.” There are three areas to work through:
What to check in your tenant this week
You do not need to wait until July to prepare. Run through this checklist now:
- 1 Confirm your licence SKUs — go to admin.microsoft.com → Billing → Licences and verify you are on M365 E3 or E5. Check which SKU variant you have (some E3 bundles for specific verticals may differ).
- 2 Check the Message centre — go to admin.microsoft.com → Health → Message centre and search for “Intune Suite”. Your 30-day notice should appear before 1 July.
- 3 Identify your highest-value capability — for most E5 tenants, EPM delivers the fastest measurable impact: reduce local admin group membership, stop elevation exceptions, and log all elevation events. For E3 tenants, Remote Help and device query in Advanced Analytics are immediate wins.
- 4 Audit current local admin group membership — if EPM is coming, now is the right time to run a report on which users are currently in the local Administrators group on managed devices. This gives you a baseline for EPM impact measurement. You can do this with a device query or a proactive remediation detection script.
- 5 Review on-premises PKI dependencies — if you are on E5 and running ADCS for device/user certificate issuance, map which certificate profiles in Intune are sourced from ADCS. Cloud PKI can replace ADCS for these scenarios. Understanding the scope of migration is easier to do now than after provisioning.
- 6 Check your existing Intune Suite add-on renewals — if you are paying for the Intune Suite separately, check your renewal dates with your licensing team to ensure you are not auto-renewing a licence you will no longer need.
Key dates summary
| Date | What happens |
|---|---|
| 30 days before provisioning | Notice appears in Microsoft 365 admin centre Message centre |
| 1 July 2026 | New M365 E3/E5 customers receive Intune Suite capabilities and new pricing applies |
| 1 August 2026 | All existing eligible tenants provisioned (no action required) |
Official references
- Microsoft 365 adds advanced Microsoft Intune solutions at scale — Microsoft Intune Blog, Tech Community (official announcement)
- Microsoft Intune licensing — Microsoft Learn (full licence breakdown and requirements)
- What's new in Microsoft Intune — Microsoft Learn (ongoing feature and release updates)