Microsoft Intune ships as Plan 1, Plan 2, and the Intune Suite bundle. Plan 1 is inside Microsoft 365 E3 and E5. Plan 2 is a paid add on. Intune Suite adds Remote Help, Endpoint Privilege Management, Advanced Analytics, and the rest.
Microsoft Intune is the cloud endpoint management product. Plan 1 covers core MDM and MAM. Plan 2 adds Microsoft Tunnel, advanced endpoint security configuration, and specialty device management.
The Intune Suite bundles Plan 1, Plan 2, and six add ons including Remote Help, Endpoint Privilege Management, and Advanced Analytics for 10 USD per user per month on top of the base plan.
Read this alongside the Microsoft knowledge hub, the Microsoft services page, the Defender for Endpoint Plan 1 vs Plan 2 article, the EA Renewal Playbook, and the Vendor Shield subscription.
Plan 1 is the core endpoint management product. Most knowledge worker estates already pay for it inside Microsoft 365 E3 or E5.
Plan 2 adds advanced endpoint scenarios. Microsoft documents the Plan 1 and Plan 2 licensing split. Most enterprises that buy Plan 2 are running specialty devices or per app VPN through Microsoft Tunnel.
The Intune Suite is the bundle Microsoft sells most aggressively. The Suite bundles Plan 1, Plan 2, and six add on capabilities at a 30% to 40% bundle discount against buying the add ons separately.
| Component | Standalone list per user per month | Inside the Suite | Standalone need |
|---|---|---|---|
| Intune Plan 1 | Inside E3 and E5 | Included | None if E3 or E5 |
| Intune Plan 2 | $4 | Included | Specialty device or Tunnel |
| Remote Help | $3.50 | Included | Help desk attended support |
| Endpoint Privilege Management | $3.50 | Included | Standing admin removal |
| Advanced Endpoint Analytics | $3.50 | Included | Anomaly detection and resource analytics |
| Microsoft Cloud PKI | $2.00 | Included | Cloud certificate authority |
| Enterprise App Management | $2.00 | Included | Third party app patching |
| Intune Suite bundled price | $10 | Plan 1 base required |
The Suite is roughly 35% cheaper than buying every add on separately. The break even sits at three components. Three or more components, buy the Suite. One or two, license the add ons standalone.
Microsoft publishes list prices for every Intune SKU. The EA discount band on Intune sits a touch below the Microsoft 365 base plan band.
| SKU | List per user per month | EA discount band | Typical landed price |
|---|---|---|---|
| Intune Plan 1 standalone | $8 | 3% to 10% | $7.20 to $7.75 |
| Intune Plan 2 add on | $4 | 5% to 12% | $3.50 to $3.80 |
| Intune Suite | $10 | 5% to 15% | $8.50 to $9.50 |
| Remote Help standalone | $3.50 | 3% to 10% | $3.15 to $3.40 |
| EPM standalone | $3.50 | 3% to 10% | $3.15 to $3.40 |
Microsoft Intune audits look for Suite features touched without the Suite SKU. The Intune admin center logs every feature touch. Remote Help and EPM are the two biggest sources of audit findings on a knowledge worker estate.
The Intune line item lands inside the broader Microsoft Enterprise Agreement. The Microsoft Product Terms govern every step down and true down right. Six levers move the bill at renewal.
The standard Microsoft pitch is that the Intune Suite is a discount, so every managed user should sit on it. We disagree. Across the Microsoft endpoint estates we reviewed in 2024 to 2025, Suite seats ran 30 to 50 percent ahead of the features the estate actually used, so the bundle discount evaporated against real consumption. The buyer side move is to count the components an estate truly needs first. Three or more components, the Suite pays. One or two, license those add ons standalone and hold the residual estate on Plan 1. A bundle is only a saving when the estate uses what it buys.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
The seven step checklist puts the Intune line item on a clean licensing footing before the next EA renewal.
Plan 1 covers core MDM, MAM, Windows Autopilot, and app deployment. Plan 2 adds Microsoft Tunnel per app VPN, specialty device management for HoloLens and Vision Pro, advanced endpoint configuration, Linux fleet enrollment, and Configuration Manager tenant attach. Plan 1 is inside Microsoft 365 E3 and E5. Plan 2 is a 4 USD per user per month paid add on.
The Intune Suite bundles Plan 1, Plan 2, Remote Help, Endpoint Privilege Management, Advanced Endpoint Analytics, Microsoft Cloud PKI, and Enterprise App Management. The list price is 10 USD per user per month on top of the base plan. The Suite is about 35% cheaper than buying every component standalone.
The break even sits at three components. An estate that needs Remote Help, EPM, and Plan 2 saves money on the Suite against the three standalone SKUs. Estates that only need one or two add ons should license those standalone and avoid the broader Suite spend.
Yes. Microsoft Tunnel per app VPN for managed iOS and Android devices is a Plan 2 feature. A Tunnel deployment on Plan 1 only is a common audit finding. The 4 USD per user per month Plan 2 add on covers Tunnel plus the broader specialty device scope.
Remote Help sessions without the Suite, EPM rules without the SKU, Advanced Analytics dashboards touched without entitlement, Microsoft Tunnel running on Plan 1, and specialty devices enrolled without Plan 2 are the five most common findings. The Intune admin center surfaces all five through the feature usage report.
The Intune Suite lists at 10 USD per user per month on top of the base plan. Plan 2 alone lists at 4 USD. The Suite runs about 35% below buying Plan 2, Remote Help, Endpoint Privilege Management, Advanced Analytics, Cloud PKI, and Enterprise App Management separately.
Yes. Intune Plan 1 ships inside Microsoft 365 E3, E5, Business Premium, and Enterprise Mobility plus Security E3. Knowledge worker estates on those plans pay nothing extra for Plan 1. Plan 2 and the Intune Suite are paid add ons on top of that base.
Redress runs the Intune feature audit, the Suite versus a la carte choice, and the EA renewal position inside the Vendor Shield subscription and the Renewal Program. Every engagement is led by a former Microsoft commercial executive on the buyer side, with no Microsoft kickback on the table.
Redress runs Microsoft Intune advisory inside the Vendor Shield subscription, the Renewal Program, the Benchmark Program, and the Software Spend Assessment.
Read the related Microsoft hub, the benchmarking page, the about us page, the locations page, and the contact page.
Buyer side reference on the Microsoft EA renewal sequence. Suite versus a la carte, Intune feature audit, Defender stacking, and the six clause renewal levers.
Independent. Buyer side. Written for CIOs, CFOs, and procurement leaders carrying Microsoft Enterprise Agreements. No Microsoft kickback. No conflict on the table.
Open the white paper in your browser. Corporate email only.
Open the Paper →Remote Help sessions running without the Suite license is the single most common Microsoft audit finding on a 5,000 endpoint estate. Lock the Suite features behind a role before the help desk opens the first session.
We have run 500+ enterprise clients across 11 publishers. Every engagement starts with one conversation.
Microsoft Intune audit findings, Suite ramp benchmarks, EA renewal cadence, and Suite versus a la carte math from every Microsoft engagement we run on the buyer side.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
