Microsoft offers the Intune Suite as a separate add-on bundle to specifically extend the core functions of Microsoft Intune Plan 1 – which are included in Microsoft 365 E3/E5 and EMS – with advanced security and management features. The main reason: companies have very different requirements for endpoint management, ranging from basic administration to complex zero-trust scenarios. Instead of packing all features into an expensive standard package, Microsoft enables modular expansion tailored to customer needs.
Intune (Plan 1) is already widely used among my customers, whether to manage mobile devices such as iPhones or Android smartphones or Windows devices. When the Intune Suite was announced about one and a half to two years ago, I repeatedly heard during pilot projects or workshops that its components provide additional benefits and could even replace third-party products. However, the biggest hurdle mentioned was the price. It didn’t matter whether we were talking about individual components of the suite (so-called Intune add-ons) or the full suite – neither was financially competitive.
Since Microsoft’s announcement on December 4, 2025, we now know that the Intune Suite will become part of various M365 plans! In this blog post, I would first like to highlight the functions and added value of the Intune Suite and then explain what the integration of these features into different M365 plans specifically means for customers.
Features and Benefits of the Intune Suite
| Component | Function |
| Remote Help | Secure remote support solution for Windows, Mac, and mobile devices, including role-based access. |
| Advanced Analytics | Proactive analysis of device and app data, anomaly detection, trend reports. |
| Microsoft Tunnel for MAM | App-based VPN access for BYOD devices without full device management. |
| Management and Protection of Specialized Devices | Devices such as augmented reality and virtual reality headsets, large smart screens, and conference room devices |
| Microsoft Intune Firmware Over-the-Air Updates (FOTA) | Remote firmware updates on supported devices. |
| Cloud PKI | Cloud-based certificate management for devices and users. |
| Endpoint Privilege Management | Enables controlled, time-limited elevation of user privileges (least privilege). |
| Enterprise App Management | Deployment and automated updates for Win32 applications from a central catalog. |
What does the integration mean for customers licensed for M365 E3 or E5 plans?
Benefits for customers with EMS E3 or M365 E3
For customers with EMS E3 or M365 E3, this change means they will be able to use the blue features listed above in the future – at no additional cost! This primarily includes “Remote Help” and “Advanced Analytics.”
Remote Help supports IT in support cases with a solution that works cloud-based on virtually any device. Thanks to full integration into Intune, leaving the management console (keyword: single pane of glass) is no longer necessary. Only the actual remote assistance is app-based and therefore cannot be integrated into Intune. Microsoft has already mentioned that it is quite possible that the “Remote Help” app will be built into Windows 11 26H2, eliminating the need for separate app deployment. These benefits also come with a positive financial effect, as you can eliminate a third-party license, such as TeamViewer.
Advanced Analytics extends the current Endpoint Analytics capabilities in Intune, enabling proactive endpoint management. It also offers improved reporting functionality and deeper insights into the device landscape. Using Kusto Query Language (KQL, also used in areas such as Defender XDR), administrators can proactively detect and resolve issues, simplify troubleshooting, and improve the end-user experience.
Benefits for customers with M365 E5
For customers with M365 E5, this change means they will have access to all the features listed above, including the yellow ones. I would like to highlight “Endpoint Privilege Management” (EPM) in particular, which is becoming increasingly important as part of Microsoft’s “Secure Future Initiative” (SFI), because it addresses a challenge IT has been facing for what feels like forever: eliminating local administrators!
Removing local admin rights means consistently applying the “least privilege” principle. Every user should only receive the permissions they truly need. With EPM, only the application that the user requires is launched with elevated rights. So, a developer will no longer need local admin rights in the future – ideally, they will only need to run Visual Studio Enterprise with elevated privileges.
SFI is not only about eliminating local admin rights, but also about removing software vulnerabilities through regular and automated updates. For this, the Intune Suite, and now also the M365 E5 license, includes “Enterprise Application Management” (EAM). This is Microsoft’s solution for third-party patch management, similar to what Neo42 or PatchMyPC offer. E5 customers will therefore be able to patch and keep up to date not only Windows, Office, Edge, and drivers, but also applications like Adobe, Firefox, etc. The software catalog does not cover every application used by enterprise customers, but the majority should be included (as of December 2025: 933 applications in various versions).
Our conclusion and how we can support you
All in all, the Intune Suite components enhance any Intune environment. Until now, high costs have prevented most customers from testing or piloting these add-ons. Now, with the integration of the suite components into M365 E3 and E5 licenses, Microsoft makes it possible for all customers to use them free of charge.
We are happy to support you in setting up a proof of concept so you can decide whether these add-ons will make your IT landscape more secure, and whether some third-party products can be replaced. As a first step, we offer a workshop in which we present all the add-ons and demonstrate their functionality in an Intune environment.
Author
