The IAM SME

Security – Identity – Cyber – Governance

Advertisement

Intune Suite lands in E3 and E5: what it plugs, and what stays behind the velvet rope

A person managing devices on a laptop and phone, illustrating endpoint management

Every few years Microsoft rearranges the furniture in the licensing house, and this summer they’ve done it while we were all still asleep. As of the first of July, the Intune Suite — the bit that used to cost extra — starts quietly appearing inside E3 and E5 at no additional charge. Here’s what actually landed, what it plugs, and where the ceiling still has your name written on it in E5-shaped letters.

The short version, for those already reaching for the kettle

From 1 July 2026, advanced Intune Suite capabilities are being folded into Microsoft 365 E3 and E5 at no separate add-on cost. The rollout is staggered across the summer, finishing by 1 August, and eligible tenants are provisioned automatically — you’ll get a thirty-day nudge in the Message Center before your turn comes up. No purchase, no admin ceremony, no form to fill in triplicate. The catch, and there’s always a catch, is that this arrives on precisely the same day as the price rise: E3 goes from $36 to $39 a user, E5 from $57 to $60. Microsoft would very much like you to see the new toys as the reason for the higher bill. Whether that holds depends entirely on whether you’d have bought the toys anyway.

The old world was tidy in its own way: every E3 and E5 already shipped with Intune Plan 1 — basic device and app management — and anything cleverer meant reaching for the wallet. The full Intune Suite was a $10-per-user-per-month add-on, or you could buy the bits à la carte like a particularly joyless tapas menu. That’s the thing being dismantled.

What E3 gets, and the security gaps it quietly closes

E3 (and EM+S E3, which is the plumbing this actually flows through) picks up the day-to-day operational tooling: Intune Plan 2 in full, plus Remote Help and Advanced Analytics. None of these will make a threat actor weep, but each one closes a gap that security teams have been papering over with duct tape and third-party licences for years.

Intune Plan 2 brings three things: Microsoft Tunnel (a per-app VPN for iOS and Android that doesn’t demand full device enrolment — useful for the BYOD estate you pretend you don’t have), firmware-over-the-air updates for supported Zebra devices, and specialty device management for the AR/VR and meeting-room kit. The security angle here is unglamorous but real: unmanaged mobile access and unpatched firmware are two of the quieter ways into an estate, and both have been sitting in the “we’ll get to it” column. Now the tooling is simply there.

Remote Help is a cloud-based, role-based, session-audited remote-control tool. On paper, help-desk software. In practice, it retires the ageing screen-share tool that half your organisation had admin rights to and nobody had audited since the Coalition government. The gap it closes is governance: remote assistance that actually respects your RBAC model and writes down who did what to whom. The honest caveat — and it is a caveat — is that it’s Windows-first, with mobile support that Microsoft describes as “growing” in the way a teenager describes tidying their room as “in progress.” If your fleet is heavily Mac, temper expectations accordingly.

Advanced Analytics adds device query, anomaly detection, battery health and resource-performance reporting on top of the base Endpoint Analytics. The security value isn’t the battery graphs, charming as they are; it’s the anomaly detection and the ability to interrogate your fleet with actual queries. Knowing which devices are drifting, misbehaving, or quietly falling off the compliance wagon is the difference between finding a problem and finding out about a problem. Previously this was a $5-a-head extra. Now it’s baseline, which means the excuse “we didn’t have visibility” has quietly expired.

What stays behind the E5 velvet rope

Here’s where the marketing “included in E3 and E5!” needs an asterisk you could park a bus in. Three of the genuinely security-relevant capabilities remain E5-only, and they happen to be the three an E3 shop would most want. Microsoft, it turns out, can read a room.

Endpoint Privilege Management (EPM) lets users run as standard accounts and elevate only specific, approved applications on a just-in-time basis. This is the one that matters. Standing local admin rights are the security equivalent of leaving the spare key under a mat that everyone knows about, and EPM is the most direct route to removing them without generating a help-desk mutiny. It’s a genuine Zero Trust building block. It’s also, pointedly, E5-only — so the organisations most likely to still be handing out admin rights like sweets (smaller, leaner, E3-shaped ones) are precisely the ones who don’t get it thrown in. A dry observation, respectfully offered.

Cloud PKI issues, renews and revokes certificates via SCEP with no on-premises certificate authority to nurse through the night. If you’ve ever inherited a Windows CA that nobody dares reboot and whose CRL distribution point is held together by hope, this is the exit door. The security gain is real — modern, cloud-native certificate management without the DMZ infrastructure and the associated 2am pages — but the honest note is that if your existing PKI is stable and well-run, there’s no fire to fight. The value is highest for the cloud-first crowd trying to retire tin. For everyone else it’s a “nice, eventually.”

Enterprise App Management gives you a curated catalogue of pre-packaged Win32 apps to deploy and update, with updates detected automatically but still gated behind admin approval — which is exactly the right amount of paranoia. The security benefit is patch currency on the third-party apps that everyone forgets about until one of them is on the front of a CVE advisory. It won’t replace a dedicated patch platform for the long tail, but it meaningfully shrinks the “manually packaged and last updated in 2023” pile.

The bit the announcement is quiet about

Two things deserve a raised eyebrow. First, “eligible” is doing quiet, load-bearing work. Eligibility is tied to the presence of EM+S E3 or M365 E5 in the tenant — not tenant size, not seat count, not whether you’ve migrated to a particular bundle. That’s actually more generous than the headlines suggest: an Office 365 E3 + EM+S E3 shop qualifies without moving to the Microsoft 365 bundle, and there’s no seat minimum. Worth circling for anyone who assumed they’d need to re-paper their agreement first.

Second — and this is the one that catches people — provisioning is not the same as usage. The capabilities land at the tenant level automatically, but nothing switches itself on for end users. EPM arriving in your tenant is not EPM protecting your endpoints; it’s EPM sitting in a cupboard waiting for someone to configure it. An unused entitlement delivers precisely nothing, and “we’re licensed for it” is not a control an auditor accepts. The work is still the work.

And the money. If you were already paying for the Intune Suite or its component add-ons on top of E5, those line items do not vanish on their own. They will keep billing merrily until you identify and remove them at your next true-up or renewal. The genuine consolidation saving is real, but only if you actually do the licence hygiene. Otherwise you achieve the rare feat of paying twice for the same capability while congratulating yourself on the freebie.

The verdict from the security desk

Credit where it’s due: this is a meaningful uplift to the security baseline of every eligible tenant, and Microsoft has made the entry condition unusually forgiving. Advanced Analytics and Remote Help closing longstanding visibility and governance gaps at no extra cost is a straightforwardly good thing. EPM, Cloud PKI and Enterprise App Management are proper security capabilities, and having them ride inside E5 rather than as a stack of add-ons is a real simplification.

The two things to keep your wits about: the price rise landed on the same date, so the “free” is really “reallocated,” and the capabilities most likely to move the security needle for smaller estates are the ones held back for E5. None of which is a scandal — it’s Microsoft doing what Microsoft does, which is bundling with one hand and pricing with the other, entirely within its rights and reasonably transparent about it. Just go in with your eyes open, do the licence review before and after your rollout window, and turn the things on. A capability you’re paying for and not using is the most expensive kind there is.

Gary Clarke is a CISO and the founder of IAM SME LTD. He builds security tooling for a living and has strong opinions about certificate authorities that nobody dares reboot.