
From Q3 2026, Microsoft automatically rolls out Intune Suite capabilities for E3 and E5 tenants. Remote Help, Advanced Analytics, Endpoint Privilege Management, and Cloud PKI are now included. But provisioning is not the same as use: without configuration, none of these capabilities reach your end users.
From the third quarter of 2026, Microsoft is adding a set of advanced Intune Suite capabilities to Microsoft 365 E3 and E5 licences at no additional cost. The separate Intune Suite add-on that IT teams previously had to purchase at around ten dollars per user per month is now folded into the base licence. The rollout runs automatically for eligible tenants and must be fully complete by 1 August 2026.
For IT teams, this creates a concrete action window. The new capabilities will appear automatically in your tenant, but they do not activate themselves for end users. Taking time now to map the possibilities and decide what to enable and when prevents confusion and lets you extract value from day one.
With Microsoft 365 E3, your organisation gains four Intune Suite capabilities that were previously licensed separately. Remote Help lets IT administrators remotely take over a user's screen via a secure, audited session. For support teams currently relying on external tools such as TeamViewer or AnyDesk, this is a direct, native replacement inside Intune with full session logging in the admin centre.
Advanced Analytics provides insight into device health, battery life, application reliability, and unplanned restarts through a model that identifies trends across the entire device fleet. IT administrators can see proactively which devices should be replaced before they cause problems at a critical moment.
Microsoft Tunnel for Mobile Application Management enables secure access to internal company resources on mobile devices, including personal devices under a BYOD model, without requiring the full device to be enrolled in MDM. This is a long-awaited capability for organisations that let employees work on iOS or Android with access to internal systems.
The fourth addition covers specialty device management and firmware updates: management of device types outside the standard PC fleet, such as rugged devices, kiosks, AR/VR headsets, and Surface Hub. The new firmware update capability lets device firmware from supported hardware be deployed directly from Intune, without external tools or manual intervention.
Microsoft 365 E5 customers receive three additional capabilities focused on application security, identity privilege risk, and certificate management. Endpoint Privilege Management, or EPM, addresses one of the most persistent problems in end-user administration: employees who need local administrator rights for specific applications or installations, where granting full admin rights poses too great a security risk. EPM lets you define granular exceptions so that, for example, an employee can run only one specific installer as administrator, without any further privileges.
Enterprise App Management is a curated catalogue of the most commonly used business applications, including automatic updates managed by Microsoft. IT administrators no longer need to manually track installation packages for widely used tools. The catalogue grows continuously and significantly reduces the management burden for application patching — a direct time saving for teams currently handling this manually or through external tools.
Microsoft Cloud PKI replaces the traditional on-premises certificate authority with a cloud-native PKI service. Certificates for Wi-Fi authentication, VPN, S/MIME, and device identity can be fully deployed and managed from Intune. For organisations currently running on a Windows Server CA or an external PKI provider, this is a significant simplification of the infrastructure.
Microsoft sends a notification via the Microsoft 365 admin centre at least thirty days before the new capabilities become available in your specific tenant. The capabilities are then made available automatically; you do not need to opt in or start a migration. The rollout begins during Q3 2026 and proceeds in phases per tenant.
In practice, this means that after receiving the notification you have a month to align internally: which capabilities do you want to enable, for whom, and in what order? Teams that miss or ignore the notification still receive the entitlements, but may find themselves with capabilities available in the environment without any policy in place to govern them responsibly.
A common misconception: because licence entitlements are added automatically, some IT teams expect the capabilities to switch on for end users as well. That is not the case. The functionality appears in your Intune environment as an available option, but active configuration is always required before anything reaches a user.
Remote Help requires a configuration profile and explicit assignment to user groups. EPM requires elevation rules that define precisely when and for which actions a user may request temporarily elevated rights. Cloud PKI requires you to create a Cloud CA and configure trust chains. Without a policy plan, the capabilities do not reach your end users, regardless of which entitlements have been granted at licence level.
Remote Help has the lowest activation threshold and delivers immediate value for support teams. If your organisation currently pays for an external remote support tool, this is a direct cost replacement that is also better integrated with your Intune environment and requires no separate agent installation on the end device.
Advanced Analytics is worth enabling early, especially if you are planning a hardware refresh in the second half of 2026. The insights the model builds up over the device fleet grow richer the longer it runs, so the earlier you enable it, the more useful the data will be when you need to make decisions.
Endpoint Privilege Management requires more preparation but addresses a structural security problem that quietly persists at many organisations: too many employees with local admin rights. Start with a pilot group of ten to twenty users who currently receive temporary admin rights for specific tasks, define the elevation rules for those scenarios, and scale from there.
Cloud PKI is the most impactful change for organisations with an existing PKI infrastructure. Plan it only after working through Microsoft's migration documentation and setting up a test environment. For organisations without existing PKI, it is actually a good entry point to set up certificate management correctly from the start.
The Intune Suite expansion is a rare licensing change that genuinely delivers new capabilities to IT teams without an extra invoice. But that value is only realised by teams that actively take on the configuration. Want help activating the new Intune Suite capabilities, drafting EPM policy, or migrating to Cloud PKI? Contact Zarioh for a no-obligation conversation.