Intune Suite Is Now Baked Into Your E3/E5 License
Microsoft is folding Intune Suite into E3/E5 starting July 2026. Here’s what that actually changes in a real tenant, where I think people will get tripped up, and what I’m doing in my own lab before the switch flips.
I’ve been managing Intune environments long enough to remember when it was a basic MDM tool that mostly fought with SCCM for relevance. So when Microsoft announced that Intune Suite — the add-on that used to run roughly ten dollars per user per month — is getting folded into the base E3 and E5 licenses starting July 2026, I sat up and paid attention.
Most of the coverage on this has been the “here’s what’s included” variety, which is useful but only gets you halfway. I’ve spent the last couple of weeks running these features against my own lab tenant, and I want to talk less about the feature list and more about the stuff that actually trips people up when they try to turn this on for real — licensing nuance, platform gaps, and the migration decisions you’ll have to make if you’re currently paying for Tanium, Patch My PC, or a third-party PAM tool to do what Intune Suite now does for free.
Let’s start with what’s actually changing, because the licensing details matter more than the marketing.
1 — What’s Actually Changing (and What Isn’t)
The short version: Intune Suite capabilities move from a paid add-on into the base license, split across E3 and E5 the way Microsoft tends to split everything — give E3 a taste, reserve the heavier stuff for E5.
| License | Now Included | Platform Coverage |
|---|---|---|
| M365 E3 | Remote Help, Intune Advanced Analytics | Windows-focused, partial macOS |
| M365 E5 | Everything in E3, plus Endpoint Privilege Management, Enterprise App Management, Cloud PKI | Mostly Windows; Cloud PKI spans Windows, macOS, mobile |
What doesn’t change: you still need E5 (or the standalone Intune Suite add-on, for anyone who wants it without a full E5 upgrade) to get the full set. If you’re sitting on E3 today, this announcement gives you Remote Help and Advanced Analytics for free, but the privilege management and app catalog pieces — the ones with the real teeth — are still behind the E5 wall. I’ve seen a few people misread the announcement as “Intune Suite is now free for everyone,” and that’s not quite right. It’s free if you’re already paying for E5, or it removes the add-on cost if you’re on E5 and were paying separately for Suite.
2 — What I Actually Tested in My Lab
Reading a feature list tells you what a thing does. Turning it on tells you what it actually does. I ran three of the four E5-gated capabilities against my lab tenant — Endpoint Privilege Management, Advanced Analytics, and Cloud PKI — to see how much friction was involved in standing them up from a cold start.
Endpoint Privilege Management
This is the one I was most interested in, mostly because I’ve spent years cleaning up environments where standard users were quietly handed local admin “just to get them off our backs” and nobody ever walked it back. EPM’s pitch is that you can let users self-elevate for specific, pre-approved actions without giving them standing admin rights.
Cloud PKI
I stood up a basic root and issuing CA in Cloud PKI and pushed a SCEP-style certificate profile to a test device. The setup itself took less time than I expected — no connector to install, no on-prem NDES server to babysit, which has historically been one of the most fragile pieces of any certificate-based Wi-Fi or VPN deployment I’ve worked on.
Where I’d pump the brakes: if you already have a working on-prem PKI with established trust chains, group policy dependencies, and certificate templates feeding things beyond just device auth — think internal web apps, code signing, smart card login — ripping that out for Cloud PKI is not a weekend project. It’s a genuinely good option for a clean, cloud-native build, and a much harder sell as a replacement for a mature on-prem CA that other systems already depend on.
Advanced Analytics
This was the least dramatic to set up and, honestly, the one I’d recommend turning on first regardless of where you are in your Intune Suite evaluation. It builds on Endpoint Analytics you may already be using, streams telemetry into a Log Analytics workspace, and doesn’t touch the end-user experience at all. No new agent, no new prompt for users, nothing to break.
3 — The Challenges Nobody Puts in the Announcement Post
This is the part I actually wanted to write about. License inclusion is a procurement win, not an engineering plan. Here’s what I think will actually slow teams down when they try to operationalize this.
“Free” still means a project
The cost savings narrative is real if you’re already on E5 and paying for the Suite add-on separately — that’s a straightforward win, cancel the add-on SKU and move on. But for E3 shops eyeing an E5 upgrade purely to get EPM and EAM, you’re still pricing out a full license tier jump, not a feature toggle. I’d treat this as a licensing conversation with finance, not an IT ticket.
EPM and EAM are Windows-only
If your environment is mixed Windows/macOS, which describes a lot of the orgs I talk to now, the two most differentiated features in this announcement simply don’t apply to your Mac fleet. You’ll still need a separate privilege management and app deployment story for macOS — JumpCloud, Privileges.app combined with Jamf, or whatever you’re already running. Don’t let the headline “Intune Suite is now included” make you think it solves endpoint management parity across platforms, because it doesn’t.
Tool consolidation is a people problem before it’s a technical one
I’ve sat through the conversation where someone points out that Intune’s app catalog can now do what Patch My PC does, and the technical answer is usually “mostly, yes.” The harder conversation is that someone’s team has built workflows, alerting, and trust around the existing tool for years. Swapping it out isn’t just a config change — it’s retraining, re-validating every packaged app, and convincing a skeptical sysadmin that the replacement won’t quietly break something six months from now. Budget for that resistance; it’s real and it’s not irrational.
EPM’s elevation model needs governance, not just configuration
It’s tempting to stand up EPM, define a couple of elevation rules, and call it done. In practice, the value of EPM comes from having an actual policy behind it — who can request elevation, what gets auto-approved versus what needs a human, and how often you review the logs. Without that, you’ve just built a more auditable way to hand out local admin, which is better than nothing but well short of what the feature is capable of.
4 — How I’d Sequence the Rollout
If I were advising a team on this today — and a few people have already asked me, which is part of why I’m writing this — here’s the order I’d push them toward, based on risk and effort rather than the order Microsoft lists the features in.
5 — Questions I’ve Actually Been Asked
Wrapping Up
This is a genuinely good move from Microsoft — removing a licensing barrier to features that meaningfully improve endpoint security posture is worth the credit it’s getting. But I’d push back gently on the framing that this is a free upgrade you flip on and walk away from. EPM in particular rewards the teams that treat it as a governance project, not a checkbox, and the platform gaps (Windows-only EPM and EAM) mean most mixed-fleet orgs will still need a secondary tool for macOS regardless of what’s now “included.”
My honest advice: start with Advanced Analytics this week, since there’s no reason not to. Then carve out real time — not a single afternoon — to pilot EPM properly before you trust it with anything beyond a small, well-understood device group.
If you’re testing this in your own tenant and hit something that doesn’t match what I’ve described here, I’d genuinely like to hear about it — drop it in the comments. Licensing changes like this tend to behave a little differently tenant to tenant, and I’d rather correct this post than leave bad guidance up.
— Anand
modernworkplacesecurity.com