Cloud Engineer Lab
Cloud Engineer Lab
Cloud Engineer Lab
Cloud Engineer Lab
© 2026
Microsoft Intune Suite Now Included in M365 E3 & E5 — What Changes from July 2026
Endpoint & CloudIntermediate

Microsoft Intune Suite Now Included in M365 E3 & E5 — What Changes from July 2026

From July 1, 2026, Microsoft bundles Intune Suite capabilities — Remote Help, Advanced Analytics, Plan 2, and Tunnel for MAM — directly into M365 E3 and E5 at no extra cost.

13 min read
Share

If you manage Microsoft 365 in an enterprise environment, July 2026 brings one of the most significant Intune licensing changes in years. Starting July 1, 2026, Microsoft is bundling advanced Intune Suite capabilities directly into Microsoft 365 E3 and E5 plans — at no additional add-on cost. Rollout continues across tenants through August 1, 2026.

This means features that previously required a separate Intune Suite or Intune Plan 2 add-on are now part of what your organisation already pays for.

This guide covers exactly what is included, how each feature works, and what your IT team should do right now.


What Is Changing — The Headline

Previously, getting capabilities like Remote Help, Advanced Analytics, or Tunnel for MAM required purchasing the Intune Suite add-on (approximately £10–12/user/month). From July 2026, these capabilities move into the base M365 E3 and E5 SKUs.

Rollout Timeline

July 1, 2026 — Feature availability begins for eligible tenants. August 1, 2026 — Full rollout completes across all qualifying tenants. No action required to receive the features — they appear automatically in your Intune admin centre once your tenant is updated.


What Is Now Included — SKU Breakdown

Microsoft 365 E3 (and EMS E3)

FeatureWhat It DoesPreviously Required
Intune Remote HelpBuilt-in remote assistance for IT supportIntune Suite add-on
Advanced AnalyticsDeeper device reporting and anomaly detectionIntune Suite add-on
Intune Plan 2Tunnel for MAM, specialty device management, OTA firmwareIntune Plan 2 add-on

Microsoft 365 E5 (and EMS E5)

E5 tenants receive everything in the E3 bundle above, plus all existing E5 entitlements. Organisations already on E5 will find these capabilities appear without any licensing change.

M365 E3 / EMS E3 — Previously: Intune Plan 1 only
July 2026 — Intune Plan 2 features added at no extra cost
Included: Remote Help · Advanced Analytics · Tunnel for MAM
Included: Specialty Device Mgmt · OTA Firmware (Zebra & others)
M365 E5 — All of the above, plus full E5 entitlements

Feature Deep Dive

Intune Remote Help

Remote Help is Microsoft's native remote assistance solution built directly into Intune. Before this change, IT teams either paid for the Intune Suite to access it, or relied on third-party tools like TeamViewer, AnyDesk, or built-in Quick Assist.

How Remote Help Works

Step 1: IT admin initiates a session

From the Intune admin centre, the helpdesk technician navigates to the device record and launches a Remote Help session. The platform generates a unique session code.

Step 2: End user accepts the request

The end user receives a notification on their device asking them to allow the session. They confirm and the connection is established — no third-party software installation required.

Step 3: IT admin assists

The technician can view the screen (view-only mode) or take full control of the device depending on the permissions configured. For elevated tasks, Remote Help supports UAC elevation during the session.

Step 4: Session is logged

Every Remote Help session — who initiated it, which device, start and end time, and actions taken — is captured in Intune audit logs. This is critical for compliance and helpdesk reporting.

Remote Help Capabilities

CapabilityDetails
Full remote controlTechnician takes control of the remote device
View-only modeTechnician observes without controlling
UAC elevation supportElevated tasks during session without local admin password
Unattended sessionsSupport unattended devices (servers, kiosks)
Chat during sessionBuilt-in chat alongside screen share
Audit loggingAll sessions captured in Intune audit logs
Role-based accessHelpdesk roles can be scoped — who can help whom
Cross-platformWindows and macOS support

Replace Third-Party Tools

If your organisation pays for TeamViewer Business or AnyDesk for helpdesk support, Remote Help now covers the same use case natively in Intune. Review your third-party remote support contracts — you may be able to cancel them.


Advanced Analytics

Advanced Analytics extends the default Intune reporting with deeper device intelligence, anomaly detection, and proactive insights. Where standard Intune reports tell you what is happening, Advanced Analytics helps you understand why and predict what will happen next.

What Advanced Analytics Adds

CapabilityWhat It Gives You
Anomaly detectionFlags unusual patterns — a device that suddenly has 5× more app crashes or 3× more policy failures
Battery health insightsPredicts which devices are approaching battery failure before users complain
Resource performance scoringCPU, RAM, and disk metrics with trend analysis per device and per model
Startup performanceTime-to-productivity scores — how long devices take from power-on to usable state
Work from anywhere reportsConnectivity quality and reliability metrics for remote workers
Custom reportsBuild and export tailored device health dashboards

Endpoint Analytics vs Advanced Analytics

Standard Intune includes basic Endpoint Analytics. Advanced Analytics layers AI-driven anomaly detection, predictive battery insights, and richer drill-down reporting on top of the base telemetry. They use the same data pipeline — Advanced Analytics is an enhanced view of what Intune already collects.

Using Advanced Analytics in Practice

A practical example: your helpdesk receives 20 support tickets in a week from users in the Finance department reporting slow login times. Without Advanced Analytics, you open each ticket individually. With it:

  • The anomaly detection flags a spike in startup time scores across 18 devices, all running a specific Intune configuration profile revision
  • The drill-down identifies that a new font package deployment is adding 40 seconds to logon
  • You roll back the deployment from the Intune console and the startup scores normalise within 24 hours

That is the kind of proactive, data-driven support Advanced Analytics enables.


Intune Plan 2 — What It Unlocks

Intune Plan 2 is the tier that sits above the standard Plan 1 included in M365 E3. It is now included in E3 as of July 2026. Here are the key capabilities it adds.

Tunnel for MAM (Mobile Application Management)

Microsoft Tunnel creates a secure VPN connection from a managed app on a mobile device to your corporate network — without requiring the device to be enrolled in MDM (full mobile device management).

This is the critical distinction:

ScenarioWhat You Need
Full device enrolled in Intune MDM, access company resourcesTunnel for MDM (available in Plan 1)
Personal device (BYOD), only the work app needs accessTunnel for MAM (Plan 2 — now included in E3)

Step 1: Deploy the Microsoft Tunnel gateway

A Linux server (on-premises or in Azure) runs the Tunnel gateway server. It acts as the VPN endpoint that apps connect to.

Step 2: Configure MAM policies in Intune

Create an App Protection Policy for iOS or Android that includes the Microsoft Tunnel configuration. Define which apps use the tunnel — typically Microsoft 365 apps or your internal line-of-business apps.

Step 3: User installs Microsoft Defender

Microsoft Defender on the mobile device acts as the VPN client for Tunnel for MAM. No additional VPN client needed.

Step 4: App connects transparently

When the user opens an app governed by the MAM policy, the Tunnel connection activates automatically and routes corporate traffic through the secure gateway. The user's personal apps continue to use the normal internet connection.

BYOD Without Full Enrollment

Tunnel for MAM is the answer to "how do we let contractors and personal devices access our internal SharePoint without enrolling their private phone into MDM." The device is never fully managed — only the specific work apps are protected and tunnelled.

Specialty Device Management

Plan 2 (now in E3) supports specialty device categories beyond standard Windows, iOS, Android, and macOS:

Device TypeExamplesUse Case
AR/VR headsetsMicrosoft HoloLens 2, Meta Quest for BusinessField service, manufacturing, healthcare
Industrial handheldsZebra TC-series, Honeywell devicesWarehouse, logistics, retail
Digital signageWindows-based kiosks and displaysReception, retail, wayfinding
Ruggedised laptopsPanasonic Toughbook, Dell Latitude RuggedField operations, public safety

These devices can now be enrolled, configured, and monitored in the same Intune portal as your standard fleet — single pane of glass management across all device categories.

Over-the-Air (OTA) Firmware Updates — Zebra and Others

One of the most operationally powerful Plan 2 capabilities for organisations running industrial devices is OTA firmware management.

For Zebra devices (the most widely deployed rugged Android handhelds in logistics and retail), Intune Plan 2 integrates with Zebra's Firmware Over the Air (FOTA) service:

Step 1: Connect Zebra FOTA to Intune

In the Intune admin centre, connect your Zebra FOTA account under Android Device Management. Intune discovers all enrolled Zebra devices and their current firmware versions.

Step 2: Create a firmware update policy

Define which Zebra device models should be updated, which firmware version to deploy, and the rollout schedule — staggered by site, shift, or device group to avoid operational disruption.

Step 3: Firmware deploys during maintenance windows

Devices receive the firmware update during configured maintenance windows (typically overnight or shift changes). The update is silent and automatic.

Step 4: Monitor rollout in Intune

The firmware update report in Intune shows per-device status — pending, downloading, applied, or failed — across your entire Zebra fleet from a single dashboard.

This replaces manual firmware update processes that previously required field technicians to update devices one-by-one or complex SCCM/WSUS workarounds.


What This Means for Your Organisation

Cost Impact

ScenarioPrevious Monthly CostFrom July 2026
M365 E3 + Remote Help + Advanced Analytics + Plan 2E3 base + ~£10–12/user add-onE3 base only
M365 E5 with Intune SuiteE5 base + add-onE5 base only

Organisations that have already purchased the Intune Suite add-on separately should review their licensing agreements. In many cases, the add-on cost can be removed from renewal — confirm with your Microsoft licensing partner.

Do You Need to Do Anything?

No Action Required for Feature Activation

The Intune Suite capabilities appear automatically in your tenant once Microsoft completes the rollout to your organisation. You do not need to assign new licenses or make any admin centre changes. You will see new options appear in:

  • Intune admin centre → Tenant administration → Remote Help
  • Intune admin centre → Reports → Endpoint Analytics → Advanced Analytics
  • Intune admin centre → Tenant administration → Microsoft Tunnel

Step 1: Verify feature availability in your tenant

After August 1, 2026, check your Intune admin centre for the new capabilities. If they are not visible, verify your licence assignment in the Microsoft 365 admin centre under Billing → Licences.

Step 2: Pilot Remote Help

Assign the Remote Help Administrator role to a subset of your helpdesk team and run a pilot. Test view-only and full-control sessions. Review session logs in the Intune audit log. Document your internal runbook for when to use Remote Help vs other tools.

Step 3: Enable Advanced Analytics

In Intune → Reports → Endpoint Analytics, enable data collection if not already running. Allow 24–48 hours for baseline data to populate, then review the anomaly detection and battery health reports for your fleet.

Step 4: Evaluate Tunnel for MAM for BYOD users

If your organisation has contractors, part-time staff, or a BYOD policy, review whether Tunnel for MAM can replace your current approach (full MDM enrollment or third-party VPN clients on personal devices).

Step 5: Review specialty device inventory

If your organisation uses Zebra handhelds, HoloLens, or other specialty devices not currently managed in Intune, this is the moment to enroll them. Document the device models, current firmware versions, and planned update cadence.

Step 6: Cancel redundant add-ons

Review your Microsoft licensing invoices and third-party tool subscriptions. Remote Help may replace a paid third-party remote support tool. The now-included Plan 2 features may allow removal of the Intune Suite or Plan 2 add-on at next renewal.


Updated License Map — July 2026

Here is the revised feature-to-license mapping after the July 2026 changes.

FeatureFreeM365 E3 (Post July 2026)M365 E5 (Post July 2026)
MDM / MAM
Compliance policies
App deployment
LAPS (cloud)
Conditional Access✅ (P1)✅ (P2)
SSPR✅ (P1)✅ (P2)
PIM / PAM❌ (P1 only)✅ (P2)
Identity Protection✅ (P2)
Remote HelpNewNew
Advanced AnalyticsNewNew
Tunnel for MAMNewNew
Specialty device mgmtNewNew
OTA firmware (Zebra)NewNew
Cloud PKISuite onlySuite only

Cloud PKI Remains Suite-Only

Microsoft Cloud PKI — the fully managed cloud certificate authority for issuing device and user certificates — is NOT part of this July 2026 inclusion. It remains in the full Intune Suite add-on. If your organisation uses or plans to use Cloud PKI, you still need the Intune Suite separately.


Summary

The July 2026 Intune licensing update is genuinely significant for enterprise IT teams. Three previously paid capabilities — Remote Help, Advanced Analytics, and Intune Plan 2 (including Tunnel for MAM, specialty device management, and OTA firmware updates) — move into the M365 E3 and E5 base plans.

Key takeaways:

  • Remote Help replaces the need for third-party remote assistance tools for Intune-managed Windows and macOS devices.
  • Advanced Analytics adds AI-driven anomaly detection and predictive device health reporting — valuable for large fleets.
  • Tunnel for MAM enables BYOD scenarios where only work apps tunnel to corporate resources, without full device enrollment.
  • Specialty device management brings AR/VR headsets, rugged handhelds, and industrial devices under the same Intune umbrella as your standard fleet.
  • OTA firmware management for Zebra and compatible devices eliminates manual firmware update operations.

The biggest immediate action: if you have been paying for the Intune Plan 2 or Intune Suite add-on, speak to your Microsoft licensing partner before your next renewal. You may no longer need that add-on for the features covered by this change.


Have questions about how this affects your specific licensing or deployment? Drop a comment below — I am happy to help you work through the implications for your environment.

CChetan Yamger

Written by

Chetan Yamger

Cloud Engineer · AI Automation Architect · Modern Workplace Consultant

Cloud Engineer, AI Automation Architect, and Modern Workplace Consultant based in Amsterdam, Netherlands. Specializing in scalable, secure enterprise solutions with Microsoft Azure, Intune, PowerShell, and AI-driven automation using ChatGPT, Gemini, and modern LLM technologies.

Cloud & Modern WorkplaceMicrosoft Intune & MDMAzure & Microsoft 365AI AutomationPrompt EngineeringPowerShell & Graph APIWindows AutopilotConditional Access & Zero TrustSCCM / MECM & MSIXVDI / WVDPower BINode.js & Next.js
Newsletter

Stay in the loop.
New articles, straight to you.

Deep-dive technical articles on Intune, PowerShell, and AI — no noise, no spam.

New article notifications
No spam, ever
Free forever

Discussion

Share your thoughts — your email stays private

Leave a comment

0/2000

Your email is used to prevent spam and will never be displayed.