Starting in the third quarter of 2026 (July – September), Microsoft will roll out new capabilities of the Microsoft Intune Suite within Microsoft 365. This expansion offers organizations the ability to manage endpoint management at scale and apply Zero Trust principles.
This article explains what Intune capabilities will be available, which Microsoft 365 and Windows Enterprise licenses they include, and how these features will be rolled out operationally.
Current challenges for IT management
Organizations are managing increasingly large and diverse device environments, which are distributed and dynamic. IT teams must simultaneously:
- Securing devices and keeping them compliant
- Ensuring productivity and operational continuity
- Working within existing budgets
This requires advanced tools that combine management and security and can be implemented at scale.
New Intune capabilities in Microsoft 365
The following features are being rolled out within the Intune Suite:
- Intune Remote Help: provide remote support with full audit logging
- Intune Advanced AnalyticsAI-driven analytics for device health and compliance
- Microsoft Tunnel for MAMPer-app VPN access without full device enrollment
- Endpoint Privilege Management: least-privilege access management
- Enterprise Application Management: streamlined application deployment and updates
- Microsoft Cloud PKI: cloud-native certificate management
- Security Copilot in Intune: support for automated analyses and actions based on AI
These features are intended to support endpoint management, security and compliance, providing IT teams with visibility and control without promising commercial benefits.
License overview
The new Intune features are available within specific Microsoft 365 and Windows Enterprise licenses.
| License plan | Inclusive Intune functionality |
|---|---|
| Microsoft 365 E3 / EMS E3 | Intune Remote Help, Intune Advanced Analytics, Intune Plan 2 |
| Microsoft 365 E5 | All E3 features + Endpoint Privilege Management, Enterprise App Management, Cloud PKI, Security Copilot |
| Windows Enterprise E3 | Quick Machine Recovery (QMR), Cloud rebuild, Point-in-time restore, Autopatch update readiness |
| Windows Enterprise per-device | Basic recovery features (QMR, point-in-time restore), Software Assurance |
Important: Eligible tenants automatically receive access to these features. IT administrators will receive a 30-day notification in the Microsoft 365 Admin Center.
Practical consequences for organizations
This expansion enables IT teams to:
- Centralize and standardize endpoint management
- Better monitor security and compliance processes
- Automate device lifecycle management (such as certificate management and application updates)
Using Intune features requires the appropriate Microsoft 365 or Windows Enterprise license. Organizations must verify their licensing environment to properly deploy the new functionality.