The MSP License Ladder #5: The Endpoint Gap
A customer still relies on a legacy file share, and a user needs to install a custom organization-specific application to access it. On Intune Plan 1, you either give them local admin - permanently, across every app, with no audit trail - or you remote in yourself and burn 15 minutes per request. Scale that across your customer base and those remote sessions add up fast.
Meanwhile, GlobalProtect pushes another update. On Intune Plan 1, keeping it current means: download the new installer, repackage it as a Win32 app, configure detection rules, upload to each tenant, deploy, and monitor - or build a custom wrapper around winget and hope it holds. Either way, that is engineering time you are spending on work a catalog should handle for you. And GlobalProtect is just one app out of dozens.
Both are endpoint management problems that Intune Plan 1 does not solve. They are also cost problems. Every 15-minute remote session for an elevation request, every hour spent repackaging a Win32 update, every incident that starts with a user who had local admin they should not have had - that is money. The Intune Suite at $10/user/month is not just a feature upgrade. It is a trade: a predictable line item that replaces unpredictable operational cost.
This post is part of The MSP License Ladder, a series on what Business Premium and E3 don’t give you, and how to build on top of them. Every post covers one gap: what’s missing from the base SKU, what it costs to close, and what you can actually build with it. Previous: #4, The Exposure Gap.
A few terms up front:
- EPM (Endpoint Privilege Management): just-in-time admin elevation without standing local admin rights. Users request, you approve (or auto-approve by rule).
- EAM (Enterprise App Management): curated app catalog with 450+ third-party apps, auto-update, and supersedence handling. Microsoft hosts the binaries.
- Intune Suite: the bundle that includes EPM, EAM, Advanced Analytics, Remote Help, Cloud PKI, and Intune Plan 2 features. $10/user/month on top of Intune Plan 1.
Table of Contents
- What you actually get today
- The July 2026 split
- The concrete gaps
- The upgrade paths
- What you unlock
- When not to bother
- Security Copilot in Intune
- How to pitch it
- Conclusion
What you actually get today
Business Premium, Microsoft 365 E3, and Microsoft 365 E5 all include Intune Plan 1:
Enroll devices across Windows, macOS, iOS, and Android. Push configuration profiles, compliance policies, and Windows Update rings. Deploy Win32 apps, LOB apps, and Microsoft Store apps. Use device compliance as a Conditional Access grant control. Provision new machines with Windows Autopilot. Get basic device and app performance data through endpoint analytics.
All three SKUs share the same endpoint management baseline right now. None of them include the Intune Suite or any of its components.
The July 2026 split
This is what makes this post different from every other post in the series. In July 2026, Microsoft is folding Intune Suite components into E3 and E5 - but not into Business Premium. For the first time in the series, a gap closes automatically for some customers and stays open for others.
| Component | BP after July 2026 | E3 after July 2026 | E5 after July 2026 |
|---|---|---|---|
| Remote Help | Add-on | Included | Included |
| Advanced Analytics | Add-on | Included | Included |
| Intune Plan 2 (Tunnel MAM, specialty devices, firmware OTA) | Add-on | Included | Included |
| Endpoint Privilege Management | Add-on | Add-on | Included |
| Enterprise App Management | Add-on | Add-on | Included |
| Cloud PKI | Add-on | Add-on | Included |
Source: Microsoft 365 adds advanced Microsoft Intune solutions at scale. Rollout begins CY26 Q3. Eligible tenants are auto-provisioned with 30-day admin center notice.
The takeaway: E5 customers get everything. E3 customers get Remote Help, Advanced Analytics, and Plan 2 features - but not EPM, EAM, or Cloud PKI. Business Premium customers get nothing. The Endpoint Gap stays fully open for BP.
The concrete gaps
Intune Plan 1 enrolls devices, pushes configuration, and deploys apps. Microsoft Store apps handle their own updates, but every Win32 and LOB app you deploy is yours to keep current - unless the app has its own auto-update mechanism, you are repackaging and redeploying manually. That is only the beginning of where the baseline stops. These are the gaps that show up after enrollment.
Endpoint Privilege Management
A user needs admin rights to install a custom application for a legacy file share. On Intune Plan 1, your options are: give them local admin (permanent, unscoped, no audit trail) or remote in yourself (15 minutes per request, does not scale). And since EPM only allows elevation for local executables, you also need to copy the installer from the share to the local drive first.
EPM replaces both with just-in-time elevation. You define elevation rules: auto-approve known executables by file hash or certificate, require approval for unknowns, block everything else. The user right-clicks and selects “Run with elevated access.” If the rule matches, it elevates that single process. If not, it routes to you for approval. Every elevation is logged with full metadata - executable name, user, device, rule matched, timestamp.
This ties directly back to #1, The Hunting Gap. Local admin sprawl is exactly what Advanced Hunting flags in DeviceLogonEvents. EPM prevents it at the source instead of hunting for it after the fact.
Enterprise App Management
Take something as common as GlobalProtect. On Intune Plan 1, you have two options: package every update as a new Win32 app (download the installer, wrap it, configure detection rules, upload, deploy, repeat next month), or build a custom Win32 app that shells out to winget and hope the detection logic holds. Both work. Neither scale. And that is just one app - multiply it by every third-party tool your customers rely on that does not auto-update through its own mechanism.
EAM provides the Enterprise App Catalog - a curated collection of 450+ third-party apps hosted by Microsoft. GlobalProtect is in the catalog. So are Zoom, 7-Zip, Notepad++, and hundreds of others. You pick the app, and Intune provides the binary, the detection rules, the install commands, and the supersedence logic. When a new version lands in the catalog (target: 80-90% within 24 hours of vendor release), Intune flags it in the Enterprise App Catalog apps with updates view. You review it, create the supersedence relationship, and the update rolls out. It is not fully automatic - you still approve the update - but the heavy lifting (packaging, detection rules, hosting) is done for you. No more repackaging. No more winget workarounds.
The difference: you stop being a software distribution pipeline and start being a policy layer on top of one.
Advanced Analytics
A user reports their laptop is slow. You check compliance - it says “compliant.” That tells you the device meets your minimum bar. It does not tell you why it is slow.
Advanced Analytics extends base endpoint analytics with reports that answer the question compliance cannot: resource performance (CPU and RAM issues by device, model, and manufacturer), battery health (cycle count, designed vs actual capacity, degradation trends), anomalies (regressions in user experience after configuration changes), and device timeline (low-latency event history for troubleshooting). The properties catalog collects detailed hardware inventory per device, but spotting a trend across hundreds of devices from individual device views is impractical - that is where fleet-wide device query comes in.
The standout feature is device query for multiple devices. Once you deploy a properties catalog policy to your Windows devices, Intune collects hardware inventory data that you can query using KQL - across your entire fleet, not just one device at a time. The properties catalog covers CPU, disk, memory, TPM, BIOS, battery, network adapters, encryption status, OS version, and more. You can run queries like “show me all devices with an unencrypted volume,” “list devices with less than 50% battery health,” or “count devices by OS version” - and get results across hundreds of devices in seconds. Device query also works on iOS, Android, and macOS without a properties catalog policy.
Think of it as Advanced Hunting for device inventory instead of security telemetry.
Remote Help
Quick Assist works fine for basic Windows remote support. But it does not tie into your identity stack, it has no role-based access control, no compliance warnings before connecting, and no audit trail in the Intune admin center. And it only works on Windows.
Remote Help is remote assistance built into Intune. Both helper and sharer authenticate with Entra ID - every session is identity-verified within your tenant. RBAC controls what the helper can do: view-only or full control. On Windows, helpers can also enter UAC credentials on the sharer’s device for elevated access. Sessions are logged in the Intune admin center with full audit history. Before connecting, the helper sees the device’s compliance state.
Where Remote Help pulls ahead of Quick Assist and third-party tools:
- Cross-platform: Windows, macOS (native app or web-based screen sharing), and Android (including unattended access for dedicated devices)
- Unenrolled device support: optionally allow help on devices not yet enrolled in Intune - useful for onboarding scenarios
- Remote launch (Windows): start a session from the Intune admin center by sending a notification to the sharer’s device - without the sharer initiating it
- Conditional Access integration: require MFA, compliant devices, or specific locations before allowing a help session
- Web app fallback: if the sharer cannot install the native app, they can share their screen via a browser (view-only for the helper)
Intune Plan 2
Three capabilities bundled together:
- Microsoft Tunnel for MAM: mobile VPN gateway that works without device enrollment. The standout for BYOD - users connect to corporate resources from personal iOS/Android devices through an app-level tunnel, without enrolling the device in Intune.
- Specialty device management: enrollment and policy support for AR/VR headsets, large smart-screen devices, and conference room equipment.
- Firmware-over-the-air: remote firmware updates for supported Zebra devices.
Cloud PKI
Certificate-based authentication without on-prem ADCS or NDES infrastructure. Matters most for cloud-native customers who need Wi-Fi or VPN certificate profiles but do not have (and do not want) a server room to run a PKI. If the customer has an existing on-prem PKI that works, Cloud PKI solves a problem they do not have.
The upgrade paths
Three paths to close the Endpoint Gap.
| Path | Best for | Includes | List price | Main constraint |
|---|---|---|---|---|
| Intune Suite | BP customers who want everything | EPM, EAM, Advanced Analytics, Remote Help, Cloud PKI, Plan 2 features | $10/user/mo | Requires Intune Plan 1 |
| Standalone add-ons | Targeted purchases | EPM, EAM, Advanced Analytics, Remote Help, or Cloud PKI individually | ~$3-4 each | No Plan 2 features unless bought separately |
| Wait for July 2026 | E3/E5 customers | Folded into base SKU automatically | Free (via $3 price increase) | BP gets nothing; E3 misses EPM, EAM, Cloud PKI |
Prices are Microsoft list per user per month, as of May 2026. Confirm standalone add-on pricing at purchase time.
The bundle math: EPM + EAM standalone is roughly $6-8/user/month for two components. The Intune Suite at $10/user/month adds Advanced Analytics, Remote Help, Cloud PKI, and Plan 2 features on top. Unless the customer only needs one specific component, the Suite is the better path.
What you unlock
| Capability | What changes |
|---|---|
| EPM | Just-in-time elevation with approval workflows and full audit logging. No more standing local admin. |
| EAM | 450+ third-party apps from a curated catalog with auto-update and supersedence. No more manual packaging. |
| Advanced Analytics | Device health scoring, anomaly detection, battery health, and fleet-wide KQL device queries. |
| Remote Help | Entra-authenticated remote assistance with RBAC, session recording, and browser-based access for unmanaged devices. |
| Tunnel for MAM | App-level VPN for personal devices without device enrollment. |
| Cloud PKI | Cloud-native certificate authority for Wi-Fi and VPN profiles without on-prem infrastructure. |
The practical difference: the custom app install from the opening becomes a 10-second EPM approval instead of a 15-minute remote session. Third-party app updates become catalog-driven rollouts instead of manual packaging sprints across 5 tenants.
When not to bother
Not every customer needs the Intune Suite. Two scenarios where the upgrade will not earn its keep:
E3/E5 customers approaching July 2026. If the customer is 2-3 months away from the fold-in and the need is not urgent, waiting is free. E3 gets Remote Help, Advanced Analytics, and Plan 2 features. E5 gets everything. The exception is E3 customers who need EPM or EAM specifically - those do not fold into E3, only into E5.
Very small BP customer with no app sprawl and no elevation patterns. If the customer has 10 managed devices, all corporate, running a handful of LOB apps, and the owner is already local admin everywhere, the Suite adds capability they will not use enough to justify $10/user/month. EPM matters most for organizations where users regularly need elevation - a 5-person office where everyone has local admin already does not have that pattern.
Security Copilot in Intune
One more thing worth knowing. Security Copilot - which powers the Copilot experience inside the Intune admin center - is included with Microsoft 365 E5 at no additional cost. E5 customers get 400 Security Compute Units (SCUs) per month per 1,000 users, auto-provisioned. Business Premium and E3 customers would need a standalone Security Copilot purchase.
Copilot in Intune lets you run natural language device queries (“show me all devices that failed the latest Windows update”), troubleshoot policy conflicts, and generate KQL from plain English. It is not part of the Intune Suite - it sits on a different licensing model entirely (consumption-based SCUs vs per-user). It deserves its own coverage, but for this post the key point is: E5 gets it, BP and E3 do not.
How to pitch it
Post-incident (EPM). “The compromised device last month started with a user who had standing local admin. EPM removes that and lets you approve specific elevations on demand. Every request is logged.”
Patch urgency (EAM). “You repackage GlobalProtect every month across every tenant. EAM auto-patches 450+ third-party apps from a Microsoft-hosted catalog. You set the policy once.”
Insurance and compliance (Advanced Analytics + Remote Help). “Your cyber insurance questionnaire asks about device health monitoring and secure remote access. Advanced Analytics gives you fleet health scoring. Remote Help gives you auditable, identity-verified support sessions.”
July 2026 timing (for BP customers). “Your E3 and E5 competitors are about to get Remote Help, Advanced Analytics, and Plan 2 features for free. Business Premium does not. The Intune Suite at $10/user/month is how you close that gap.”
Price it as a managed endpoint service, not a licence passthrough. The $10/user/month Intune Suite is the floor.
Conclusion
Intune Plan 1 gets devices enrolled and configured. The Intune Suite adds what comes after: EPM removes standing local admin and replaces it with audited, just-in-time elevation. EAM takes third-party app packaging off your plate. Advanced Analytics gives you fleet-wide device health data you can actually query. Remote Help ties remote support to your identity stack across Windows, macOS, and Android.
The $10/user/month cost is real, but so is the time you are currently spending on manual elevation requests, Win32 repackaging, and blind troubleshooting. For many customers, the Suite pays for itself in reduced operational overhead before the security benefits even enter the conversation.
After July 2026, the math changes. E5 customers get the full Suite folded in. E3 customers get Remote Help, Advanced Analytics, and Plan 2 features. Business Premium customers get nothing - the Endpoint Gap stays open, and closing it remains a separate purchase.
Start with one customer tenant. Deploy an EPM elevation settings policy, connect the Enterprise App Catalog, and review the first week of data. Then scale out.
| Resource | What it covers |
|---|---|
| Intune Suite add-ons | Component matrix, standalone vs Suite vs Plan 2 |
| EPM overview | Elevation rules, policies, and deployment |
| Enterprise App Management | App catalog, auto-update, supersedence |
| Advanced Analytics | Device health, anomaly detection, device query |
| Remote Help | Zero-trust remote assistance setup |
| Intune Plans and Pricing | Suite and standalone pricing |
| July 2026 Intune fold-in | E3/E5 component breakdown and rollout timeline |
| Security Copilot for E5 | SCU allocation and auto-provisioning |
Part of The MSP License Ladder series. Previous: #4, The Exposure Gap.
Last verified: May 2026
Related
- The MSP License Ladder #1: The Hunting Gap – what Defender for Endpoint Plan 2 unlocks for proactive threat hunting across your customer fleet.
- The MSP License Ladder #2: The Data Gap – what Purview Suite unlocks over base Business Premium and E3 for DLP, Insider Risk, and eDiscovery.
- The MSP License Ladder #3: The Identity Gap – what Entra ID P2 and Defender for Identity unlock for risk-based CA, just-in-time privilege, and on-prem AD visibility.
- The MSP License Ladder #4: The Exposure Gap – what MDO P2 and Defender for Cloud Apps unlock for post-delivery investigation and Shadow IT/AI visibility.