The evolution of endpoint management enters a new phase: Microsoft recently announced a licensing model change that significantly expands the capabilities included in the Microsoft 365 E3 and E5 plans. Features that were previously available only through the Intune Suite plan or as add-ons will become an integral part of the Microsoft 365 E3/E5 plans, giving companies access to advanced security, analytics, and management capabilities.
Microsoft’s announcement, released shortly after Ignite 2025, marks a significant step in the company’s strategy to simplify and unify device management through a cloud-native platform like Microsoft Intune. The goal is to help companies take full advantage of these new capabilities, at a time when many organizations are planning the transition from on-premises management tools like Microsoft Configuration Manager (aka SCCM).
This change is based on three main strategic pillars.
- The first is to accelerate the adoption of a cloud-based management model, supporting the Zero Trust model, based on continuous verification, cloud identity, and minimal access rights.
- The second is to simplify companies’ operational and security ecosystem by introducing advanced analytics, cloud-based PKI infrastructure, and secure support tools. This way, organizations can reduce the need for third-party solutions and consequently optimize costs by focusing on a single “ecosystem.”
- The third is to align with Microsoft’s evolutionary path in endpoint management, strengthening the centrality of Intune as a strategic platform for managing any device: Windows, macOS, Linux, iOS/iPadOS, and Android.
To help you better understand the new features introduced, we provide a summary table of the plans and features now integrated or planned for the next rollout phases:
| Microsoft 365 Plan | Feature included |
|---|---|
| Enterprise Mobility + Security E3 (EMS E3) (included in Microsoft 365 E3) | • Remote Help • Advanced Analytics • Intune Plan 2* |
| Microsoft 365 E5 | All features present in M365 E3 plus: • Endpoint Privilege Management • Cloud PKI • Enterprise App Management |
| Microsoft 365 E5 (additional safety components) | • Microsoft Security Copilot |
*Add-on to Microsoft Intune Plan 1 that provides advanced endpoint management features such as: Microsoft Intune Tunnel for Mobile Application Management (VPN solution for iOS and Android mobile devices), remote firmware updates, and device configuration/protection for VR, hubs, etc…
Benefits
By introducing advanced features directly into Microsoft 365 plans, endpoint management becomes more centralized and streamlined; IT will be able to operate from a single console, reducing the learning curve for staff and speeding up processes.
From a security perspective, the Zero Trust model requires continuous verification of users and devices: Intune Suite features integrate seamlessly into this model as each feature is referenced by the model’s three “pillars”:
- Explicit verification;
- Assume the breach;
- Use least privilege.
Another important benefit of this change is undoubtedly cost optimization: although Microsoft has announced updates to subscription pricing in the coming years, the inclusion of Intune Suite features can lead to significant overall savings; many organizations would be able to reduce dependencies on legacy infrastructure and consolidate tools, thus optimizing redundant costs.
Learn more about Intune Suite features
The core of this new feature is the introduction of several Intune Suite features directly into Microsoft 365; as previously mentioned, these features improve application support, security, analytics, and governance.
These features are detailed below:
Remote Help
Remote Help is a secure remote assistance tool natively integrated with Intune. Unlike generic tools, Remote Help rigorously enforces the organization’s security controls: it verifies the user’s identity via Login ID through Conditional Access rules, informs the operator of the device’s compliance status before any connection, and applies role-based policies.
For IT admins managing hybrid work environments, this is a significant advantage: this feature allows them to assist users wherever they are, with full visibility into the device’s status and compliance status.
Advanced Analytics
Advanced Analytics extends reporting capabilities with AI and machine learning models; this functionality allows you to detect anomalies, identify performance issues, flag inconsistent configurations, and predict potential issues before they impact the end user.
A particularly important feature in Advanced Analytics is Device Query, which allows you to query your entire device fleet in real time without waiting for scheduled reports or performing manual data collection tasks.
Advanced Analytics allows IT to be both proactive and reactive.
Endpoint Privilege Management (EPM)
Endpoint Privilege Management solves one of the most common problems in device security: granting administrative privileges to users. Through EPM, you can enforce a “least privilege” model, assigning elevated privileges to a user only for specific applications and/or operations.
In practice, the user maintains a standard profile while the authorized application can run in an elevated but monitored and limited context; this dramatically reduces the risk of privilege escalation and unauthorized system manipulation.
Cloud PKI
Cloud PKI enables the introduction of a completely cloud-native certificate issuance infrastructure, eliminating the need for dedicated on-premise servers. It also allows for the integration of any existing on-premise PKI infrastructure, enabling a gradual transition model. This feature automates the issuance, renewal, and revocation of certificates for any type of device (Windows, Android, iOS/iPadOS) and for Entra ID users, supporting a Zero Trust model for Wi-Fi authentication, VPNs, and sensitive applications.
Enterprise App Management
Still in the context of Zero Trust, one of the main challenges for companies is ensuring that applications installed on devices are constantly updated; failure to apply security patches promptly exposes the organization to the risk of cyber attacks that exploit various vulnerabilities in applications.
Enterprise App Management simplifies application lifecycle management: thanks to a centralized catalog of pre-configured Win32 apps validated by Microsoft, Enterprise App Management allows IT administrators to securely and automatically deploy and update software, eliminating the complexity of manual installations and reducing the risk of obsolete applications.
Conclusions
The introduction of Intune Suite features in the Microsoft 365 E3 and E5 plans represents a significant evolution in endpoint management: it simplifies operations, strengthens security, improves governance, and offers organizations a unified and modern ecosystem.
To effectively prepare, many companies will need preliminary assessments, compatibility analyses, the definition of a migration plan from Configuration Manager to Intune, and the implementation of a comprehensive modern endpoint management strategy.
Enterprise Mobility Blog 