Microsoft Endpoint Management Licensing: Intune, Autopilot, Defender and Beyond

The Microsoft Endpoint Management Licensing Stack in 2026

Microsoft's endpoint management capability is delivered through a combination of products that overlap significantly depending on which M365 or EMS licence tier an organisation holds. The core products are Microsoft Intune for device management, Microsoft Autopilot for device provisioning and deployment, Microsoft Defender for Endpoint for endpoint detection and response, and the broader Enterprise Mobility and Security (EMS) suite that bundles identity, device management, and information protection.

Understanding which endpoint management capabilities are included in your M365 licence tier — E1, E3, E5, or the new E7 tier at the top of the stack — and which require additional licences or subscriptions is essential for avoiding duplicate spending and compliance gaps. The July 2026 changes have significantly altered what comes with E3 and E5, making any endpoint management licence review done before that date potentially outdated.

Intune Licensing: Plan 1, Plan 2, and Intune Suite

Microsoft Intune is structured across three tiers in 2026. Intune Plan 1 is the core device management platform — MDM, MAM, compliance policies, conditional access, and app protection. It is included with M365 E3, E5, E7, F1, F3, and Business Premium. Organisations holding any of these licences do not need to purchase Intune Plan 1 separately.

Intune Plan 2 adds advanced capabilities: Microsoft Tunnel for MAM (secure VPN gateway for unenrolled mobile devices), Specialty Device Management for dedicated devices such as kiosks, digital signs, and industrial endpoints. As a standalone add-on, Plan 2 costs $4.00 per user per month. From July 2026, Plan 2 capabilities are being added to M365 E3 and EMS E3 as part of the pricing restructure that brings Intune Suite features into those tiers.

Intune Suite is the premium endpoint management bundle that previously cost $10.00 per user per month as a standalone add-on. It combines Plan 1 and Plan 2 capabilities with additional features: Remote Help (remote desktop support for managed devices), Advanced Analytics (endpoint health, performance, and battery analytics), Endpoint Privilege Management (EPM — least-privilege management for Windows without admin rights), Enterprise Application Management (EAM — curated app catalogue and lifecycle management), and Microsoft Cloud PKI (cloud-based certificate management). From July 2026, Microsoft is including a subset of these Intune Suite features in M365 E3 and E5, with the most advanced features — EPM, EAM, and Cloud PKI — reserved for M365 E5 and above.

What E3 Gets from July 2026

M365 E3 and EMS E3 from July 2026 will include Intune Remote Help, Microsoft Intune Advanced Analytics, and Intune Plan 2 (Tunnel for MAM and Specialty Device Management). E3 customers who were previously paying $10 per user per month for the Intune Suite add-on primarily for Remote Help and Advanced Analytics can eliminate that spend — the July 2026 E3 price increase of 8.3 percent (from $36 to $39 per user per month) effectively bundles these capabilities into the base tier.

The financial calculation for E3 customers depends on the utilisation rate of the Intune Suite features being folded in. For a 1,000-user E3 organisation that was also paying $10 per user per month for the Intune Suite, the annual cost of the Suite was $120,000. The E3 price increase adds $36,000 annually ($3 per user per month times 1,000 users times 12 months). If Remote Help and Advanced Analytics were being used, the net saving is $84,000 per year. If the Intune Suite was not being used, the E3 price increase represents a pure cost increase with no offsetting benefit.

What E5 Gets from July 2026

M365 E5 from July 2026 gains additional Intune Suite capabilities: Endpoint Privilege Management (EPM), Enterprise Application Management (EAM), and Microsoft Cloud PKI, in addition to the E3-level features. These are exclusively added to M365 E5 (the full subscription), not to the underlying EMS E5 component. Customers on EMS E5 without the full M365 E5 licence do not receive EPM, EAM, or Cloud PKI from the E5 tier restructure.

E7 and Endpoint Management

E7, the new top tier of the M365 SKU stack above E5, includes all the endpoint management capabilities in E5 plus the expanded AI, security, and compliance bundle that distinguishes E7. Microsoft field teams are actively moving E5 customers to E7 at renewal in 2026, with the endpoint management capabilities included in E7 as part of the broader E7 value proposition. For organisations that have been purchasing E5 plus Intune Suite add-ons, the E7 pricing discussion should include a detailed accounting of what Intune Suite capabilities are already covered at E7 and what additional endpoint management cost E7 eliminates.

Enterprise Mobility and Security (EMS) Licensing

EMS is the Microsoft licence bundle that combines Entra ID (identity), Intune (device management), and Microsoft Purview Information Protection (data classification and DLP). It is available in two tiers: EMS E3 at $10.60 per user per month and EMS E5 at $16.40 per user per month.

EMS E3 includes Entra ID P1, Intune Plan 1, and Purview Information Protection P1. EMS E5 adds Entra ID P2, Intune Plan 1, Purview Information Protection P2, and Microsoft Defender for Identity. EMS is most relevant for organisations that need the identity and device management bundle without the full M365 E3 or E5 licence — for example, organisations that use Google Workspace for productivity but want Microsoft's identity and endpoint management capabilities.

For organisations on M365 E3 or E5, EMS capabilities are already included — purchasing EMS separately represents duplicate spend. A recurring licence optimisation finding in our EA assessments is EMS licences that are redundant because the same capabilities are already covered by the M365 E-tier assigned to the same user. At $10.60 to $16.40 per user per month, redundant EMS licences represent significant waste at scale.

Microsoft Defender for Endpoint: Licensing Within the M365 Stack

Microsoft Defender for Endpoint is available in two tiers. Plan 1 (MDE P1) provides basic endpoint protection — next-generation antivirus, attack surface reduction, and device control. It is included in M365 E3, E5, E7, Business Premium, and F3. Plan 2 (MDE P2) adds full EDR capabilities, automated investigation and response, threat and vulnerability management, and the 180-day data retention for the security portal. MDE P2 is included in M365 E5, E7, and the E5 Security add-on, but not in E3.

Organisations on E3 that want MDE P2 capabilities have three options: upgrade selected users to E5, purchase the E5 Security add-on at $12 per user per month for users requiring MDE P2, or purchase MDE Plan 2 as a standalone add-on. For organisations evaluating the E5 Security add-on, it covers MDE P2, Defender for Office 365 P2, Defender for Identity, Defender for Cloud Apps, and Entra ID P2 in a single $12 per user per month bundle — making it the most cost-effective route to MDE P2 if any of the other included components are also needed.

Defender for Endpoint integration with Intune for device compliance is available across all tiers where both products are licensed — Intune reads Defender risk signals to enforce conditional access policies, blocking non-compliant or compromised devices from corporate resources. This integration works for both enrolled and unenrolled devices where the Defender agent is deployed, and is one of the genuinely compelling reasons to maintain both Microsoft products in the endpoint stack rather than sourcing EDR from a third-party vendor.

Microsoft Autopilot: Included, Not Add-On

Microsoft Autopilot — the cloud-based device provisioning and deployment service — is not a separately licensed product. It is included with any qualifying Intune licence, which means it is available to all M365 E3, E5, E7, F3, and Business Premium users without additional cost. The device itself must be registered in Autopilot, and certain hardware and OS requirements apply, but no incremental licence purchase is required.

Autopilot for pre-provisioned deployment (formerly Autopilot White Glove) and Autopilot self-deployment mode do have additional technical requirements but remain within the Intune licensing scope. Organisations paying for third-party device provisioning services to complement Autopilot should review whether Autopilot's expanding capabilities make those services redundant.

Common Endpoint Management Licensing Mistakes

Purchasing Intune Suite for users who only need Plan 1: The most common endpoint management overspend is assigning Intune Suite ($10 per user per month) to the entire user population when only a subset genuinely requires EPM, EAM, or Cloud PKI. Role-based Intune Suite assignment — IT staff, privileged users, and employees with sensitive data — reduces cost by 60 to 80 percent versus universal deployment.

Holding EMS licences alongside M365 E-tier licences: Users with M365 E3 or E5 already have the equivalent of EMS E3 or E5 included in their M365 licence. Maintaining EMS licences alongside M365 licences for the same users is pure duplicate spend. This occurs commonly after M365 migrations where the EMS agreement was not terminated.

Purchasing MDE P2 standalone when E5 Security covers more: The E5 Security add-on at $12 per user per month includes MDE P2 plus four additional security components. For users who need any combination of those components, E5 Security is more cost-effective than MDE P2 standalone plus separate add-ons for the other required capabilities.

Not modelling the July 2026 E3/E5 price change against Intune Suite spend: Organisations that budget for the E3 price increase without simultaneously reviewing their Intune Suite add-on spending are likely missing net savings. The price increase is specifically designed to bundle capabilities previously purchased separately — the analysis should treat them as one commercial decision, not two separate line items.

Not accounting for E7 in endpoint management planning: E7, the new M365 top tier above E5, includes endpoint management capabilities as part of a broader security and AI bundle. For E5 customers who are also purchasing Intune Suite, Defender add-ons, and Copilot, the total cost stack may approach or exceed E7 pricing — making an E7 migration worth modelling even before Microsoft's field team proposes it.