Posted in

Untitled

Microsoft just changed the licensing on a meaningful chunk of the Intune Suite. As of July 1, 2026, the advanced Intune capabilities — Endpoint Privilege Management (EPM), Cloud PKI, Advanced Analytics, Remote Help, and Enterprise Application Management — are bundled into Microsoft 365 E5, with select capabilities now landing in Microsoft 365 E3. If you manage clients on E5 (or E3), they now own tooling they were probably paying the Intune Suite add-on for, or simply not using. This is a “go turn it on” moment, not a “wait for next budget cycle” moment.

What actually changed

The packaging change was pre-announced back in December 2025 and is now in effect. The shape of it:

  • E5 gets the full set. EPM, Cloud PKI, Advanced Analytics, Remote Help, Enterprise Application Management, and the advanced mobile capabilities (Intune Plan 2).
  • E3 gets select capabilities. Microsoft is explicit that inclusion varies by plan — don’t assume E3 mirrors E5. Verify per tenant.
  • Some capabilities may still need extra licenses. Feature availability is plan-dependent; a few pieces are not automatically free even on E5.
  • Existing customers get a 30-day Message Center notice and access by August 2026. New tenants see it now.
  • Security Copilot in Intune and the Vulnerability Remediation Agent require separate licensing. Keep that line clear so you don’t over-promise a client.

The enable-first priority order

Not everything in the bundle is equal. For an MSP balancing client risk and effort, this is the order I’d turn things on:

  1. Endpoint Privilege Management (EPM) — biggest attack-surface win. It removes broad local admin while still letting users elevate approved tasks. Standing local admin is exactly what ransomware and lateral movement feed on. This is the one to pilot first.
  2. Cloud PKI — kills on-prem PKI maintenance. Fully managed certificate lifecycle, no on-prem infrastructure. If a client is running AD CS or a third-party CA purely for device certificates, this is a strong candidate to retire.
  3. Advanced Analytics (near real-time Device Query + Multi-Device Query) — proactive triage at scale. When something breaks across 200 endpoints, Multi-Device Query answers “which ones, and what’s wrong?” in seconds instead of a manual sweep.
  4. Remote Help — secure, auditable remote support. It sits inside your identity and device controls, which is more than you can say for a lot of standalone remote tools. Worth it for distributed clients.
  5. Enterprise Application Management — time-saver, not a security win. Streamlines app deployment and updates at scale. Lower priority than the four above, but real leverage for MSPs juggling packaged apps across clients.

The advanced mobile pieces — Intune Plan 2: purpose-built/specialty devices, Zebra firmware update management, and Microsoft Tunnel for MAM — are also included. Niche, but flag them for clients with kiosk, shared Android, or BYOD-with-per-app-VPN scenarios.

Check-your-tenant checklist

  • Confirm E3/E5 eligibility per client. The E3 subset differs from E5; don’t assume parity.
  • Review Message Center notifications. That’s where Microsoft pushes what’s actually available in each tenant. Verify, don’t assume.
  • Reconcile licenses. If a client was paying for the Intune Suite add-on SKU, it may now be redundant. That’s a cost conversation, not just a technical one.
  • Pilot EPM on a ring first. Elevation rules are the one thing that bites if misconfigured — a bad policy can block legitimate work just as fast as malicious.
  • Talk to the account team if a capability should be there but isn’t. Some still require additional licensing.

The catch

Don’t read this as “everything is free now.” Availability varies by plan, some capabilities still need separate licensing, and E3 is explicitly a subset. The real move: verify per tenant, turn on the high-value security pieces first, and use any freed-up Suite budget as a client conversation. The tooling was already the right call — now for a lot of your clients, it’s just already paid for.