Microsoft Intune appears simple. It is included in M365 E3. Your organisation already has M365 E3. Therefore you have Intune. This is technically true and practically misleading. What "Intune" means in 2026 is fundamentally different from what it meant when your EA was signed. Microsoft has unbundled, re-bundled, renamed, and restructured its endpoint management portfolio three times since 2022. Splitting what was a single product into a tiered suite with Plan 1, Plan 2, and the Intune Suite. Add Autopilot, Autopatch, Defender for Endpoint, Entra ID P1/P2 for conditional access, and Windows 365 Cloud PC. The fully loaded endpoint management cost per user can reach $47/month, hidden across six different licence line items that no single person in the organisation tracks as a combined cost. This guide maps the entire endpoint management licensing landscape.
Complete mapping of every product, tier, inclusion, and exclusion across Microsoft's endpoint management licensing landscape: Intune Plan 1, Plan 2, and the Intune Suite. Windows Autopilot. Defender for Endpoint. Entra ID (Azure AD). Windows Autopatch. Windows 365 Cloud PC. The true per-user cost stack and five optimisation strategies to reduce endpoint management spend.
Microsoft's endpoint management portfolio is not a single product. It is an ecosystem of interlocking services, each with its own licensing model, each included in different M365 SKUs, and each sold as a standalone add-on for organisations that don't have the right base plan. Understanding the landscape requires mapping six product families that collectively constitute "endpoint management" in a modern Microsoft environment. For the broader M365 licensing context, see our E3 vs E5 comparison and enterprise plan selection playbook.
Microsoft Intune: The core device management and mobile application management platform. Enrolls devices, deploys policies, manages applications, enforces compliance. Three tiers: Plan 1, Plan 2, Intune Suite.
Windows Autopilot: Zero-touch device provisioning that configures new hardware automatically from cloud policy. Included partially in Intune Plan 1, fully in Plan 2/Suite.
Microsoft Defender for Endpoint: Endpoint detection and response (EDR), threat protection, and vulnerability management. Separate licence from Intune, included in M365 E5 but not E3.
Microsoft Entra ID (formerly Azure AD): Identity and access management including conditional access policies that determine which devices can access which resources. P1 included in M365 E3. P2 (with risk-based conditional access) in E5. See our Entra ID licensing guide.
Windows Autopatch: Automated Windows Update management. Included in specific M365 tiers at no additional cost.
Windows 365 Cloud PC: Cloud-hosted Windows desktops that replace physical endpoints. Separate per-user per-month subscription, not included in any M365 plan.
The licensing complexity arises because these six product families are included in different M365 SKUs at different levels, creating a matrix where "what's included" depends on which base plan you have. The answer is different for E3, E5, Business Premium, F1, F3, and standalone subscriptions. The result: most organisations have partial endpoint management coverage from their M365 subscription and don't know which capabilities are missing.
Microsoft restructured Intune licensing in 2023, splitting the product into three tiers. This restructuring is the single largest source of confusion in endpoint management licensing. Organisations that had "Intune" through their M365 E3 subscription now have "Intune Plan 1," which excludes capabilities that were previously included or that the organisation assumed were included.
Plan 1 is the base tier. It covers the core device management scenarios that most organisations need for basic endpoint management. Mobile Device Management (MDM) for Windows, iOS, Android, and macOS: enrol devices, deploy configuration profiles, enforce compliance policies (PIN requirements, encryption, OS version). Mobile Application Management (MAM): deploy and manage applications without requiring full device enrolment (critical for BYOD scenarios). Conditional access integration: devices must meet compliance policies before accessing M365 resources (requires Entra ID, included in E3/E5). Basic reporting and device inventory. App protection policies for Outlook, Teams, OneDrive on personal devices.
Plan 1 is sufficient for organisations that need to enrol devices, push basic policies, manage applications, and enforce compliance as a condition of M365 access. For many organisations, particularly those with a homogeneous Windows fleet managed through Group Policy or SCCM with Intune used for mobile device management, Plan 1 covers the requirement.
Plan 2 adds capabilities that organisations managing complex or specialised device fleets need. Many IT teams assume these are included in Plan 1 because they were part of the pre-2023 "Intune" product. Microsoft Tunnel for MAM: VPN capability for managed apps on iOS and Android without full device enrolment. Critical for organisations needing secure access to on-premises resources from personal mobile devices without requiring MDM enrolment. Specialised device management: Management of purpose-built devices including AR/VR headsets (HoloLens), large smart-screen devices, conference room hardware, and IoT-class devices. Linux endpoint management: Enrolment and compliance policies for Linux desktops (Ubuntu). If your developer population uses Linux, Plan 1 doesn't cover their devices. See our M365 add-on licensing guide.
Plan 2 is not a mass-deployment tier. It is a targeted add-on for specific user populations. Most organisations don't need Plan 2 for all users. They need it for the 5 to 15% of users who have specialised device requirements (Linux developers, frontline workers with AR/VR, conference room managers).
The Intune Suite is Microsoft's premium endpoint management tier. It contains capabilities that many security-conscious organisations need but don't know are separate from their E5 subscription. Remote Help: Screen-sharing remote assistance for IT helpdesk to support enrolled devices (similar to TeamViewer/BeyondTrust functionality). Endpoint Privilege Management: Allow standard users to perform specific elevated tasks (installing approved applications, running specific admin tools) without granting full local administrator rights. A critical zero-trust capability that most organisations implement through third-party tools because they don't know Intune offers it. Advanced Endpoint Analytics: Device performance scoring, anomaly detection, and proactive remediation scripts. Microsoft Cloud PKI: Cloud-based certificate authority for issuing and managing certificates for device authentication without on-premises PKI infrastructure. Firmware-over-the-air (FOTA): Manage firmware updates on Android devices. Enterprise Application Management: Curated catalogue of pre-packaged third-party Win32 applications with automated deployment and update management.
The Intune Suite at $10/user/month is a significant line item ($120/user/year, $600K annually for a 5,000-user organisation). But if it replaces standalone tools (CyberArk Endpoint Privilege Manager at $8 to $15/user/month, BeyondTrust Remote Support at $5 to $10/user/month, Venafi certificate management), the consolidation economics can be favourable.
| Capability | Plan 1 (in M365 E3/E5) | Plan 2 ($4/user/mo) | Intune Suite ($10/user/mo) |
|---|---|---|---|
| MDM for Windows/iOS/Android/macOS | Included | Included | Included |
| MAM / App protection policies | Included | Included | Included |
| Conditional access integration | Included | Included | Included |
| Linux endpoint management | Not included | Included | Included |
| Specialised devices (AR/VR/IoT) | Not included | Included | Included |
| MAM Tunnel (VPN without MDM) | Not included | Included | Included |
| Remote Help | Not included | Not included | Included |
| Endpoint Privilege Management | Not included | Not included | Included |
| Advanced Endpoint Analytics | Not included | Not included | Included |
| Cloud PKI | Not included | Not included | Included |
| Enterprise App Management | Not included | Not included | Included |
Windows Autopilot is Microsoft's zero-touch provisioning technology. It lets an organisation ship a new laptop directly from Dell or Lenovo to an employee's home, and when the employee powers it on and signs in with their corporate credentials, the device automatically configures itself: enrolls in Intune, applies compliance policies, installs applications, and joins Entra ID. No imaging, no IT staging area, no USB keys. For organisations with distributed workforces, Autopilot transformed device provisioning from a 2 to 4 hour manual process per device to a 30-minute automated one.
Autopilot licensing: The base Autopilot experience (device registration, user-driven deployment, self-deploying mode for shared devices) is included in Intune Plan 1. Therefore included in M365 E3/E5 at no additional cost. This is the Autopilot that most organisations use and need. Autopilot device preparation (the newer, streamlined provisioning flow introduced in 2024) is also included in Plan 1.
What requires additional licensing: Advanced Autopilot scenarios that depend on Intune Suite capabilities. Specifically, pre-provisioning with Endpoint Privilege Management (allowing Autopilot-deployed devices to have granular admin rights without full local admin) requires the Intune Suite ($10/user/month). Organisations using Autopilot for kiosk or shared device deployment at scale may also benefit from Plan 2 for specialised device management.
Most organisations get full Autopilot value from their M365 E3/E5 subscription. Autopilot is not a separate licence line item for the standard use case. The upsell to Plan 2 or Intune Suite is driven by the device management capabilities, not by Autopilot itself.
This is where the endpoint management licensing conversation intersects with security licensing, and where the largest unplanned costs typically emerge. Microsoft Defender for Endpoint is the EDR (Endpoint Detection and Response) platform that provides advanced threat protection, vulnerability management, attack surface reduction, and automated investigation/remediation. It is not included in Microsoft 365 E3. See our E5 security add-ons playbook for the complete security licensing analysis.
M365 E3 includes Defender for Endpoint Plan 1. This provides next-generation anti-malware protection, attack surface reduction rules, device-based conditional access, and centralised management through the Microsoft Defender portal. Plan 1 is a solid baseline: it replaces traditional antivirus (Symantec, McAfee, Trend Micro) with cloud-delivered protection that integrates natively with Intune and Entra conditional access. However, Plan 1 does not include EDR, automated investigation, threat analytics, or vulnerability management.
Plan 2 adds full EDR: the capability that detects, investigates, and responds to advanced threats that bypass prevention controls. Automated investigation and remediation (AIR), threat analytics, advanced hunting (KQL-based threat hunting across endpoint telemetry), endpoint vulnerability management, and attack simulation training. Plan 2 is what security teams mean when they say "Defender for Endpoint." It is included in M365 E5 but requires a separate add-on ($5.20/user/month) for organisations on M365 E3.
Organisations on M365 E3 that deploy Intune for device management often believe they have "endpoint security covered" because Defender Plan 1 is included. Plan 1 provides prevention; it does not provide detection and response. The gap between Plan 1 and Plan 2 is the gap between antivirus (blocking known threats) and EDR (detecting unknown threats, investigating incidents, responding automatically). For any organisation facing regulatory requirements for threat detection and incident response (PCI DSS, HIPAA, SOX, CMMC), Defender for Endpoint Plan 2 is not optional.
Defender for Endpoint licences cover client endpoints (Windows, macOS, iOS, Android, Linux). Server protection requires a separate licence: Microsoft Defender for Servers, available through Azure Defender (Plan 1 at ~$5/server/month, Plan 2 at ~$15/server/month) or through the Defender for Endpoint Server add-on in the EA. This is a frequently missed requirement: organisations deploy Defender for Endpoint across their client fleet and assume it covers servers. It does not.
Microsoft Entra ID (formerly Azure Active Directory) is the identity platform that underlies every endpoint management decision. Conditional access policies determine which devices can access which resources based on compliance state, location, risk level, and user identity. Entra ID licensing directly affects endpoint management capability.
Entra ID P1 (included in M365 E3): Provides conditional access with basic policies. Require MFA, require compliant device (via Intune), block access from untrusted locations. P1 conditional access is policy-based: you define rules and they apply uniformly. This covers the majority of conditional access scenarios.
Entra ID P2 (included in M365 E5, or $9/user/month add-on): Adds risk-based conditional access. Policies that adapt based on real-time risk signals. If Entra ID Identity Protection detects a sign-in from an impossible travel location or a credential leaked on the dark web, P2 conditional access can automatically require step-up authentication, block access, or force password reset. P2 also includes Privileged Identity Management (PIM) for just-in-time admin access and access reviews for periodic entitlement certification.
The endpoint management implication: risk-based conditional access (P2) makes Intune compliance policies dramatically more effective. Device compliance isn't evaluated in isolation but in combination with user risk signals. A compliant device used by a compromised identity still grants access under P1. Under P2, the compromised identity triggers additional controls. For organisations building a zero-trust endpoint strategy, Entra ID P2 is foundational. At $9/user/month as a standalone add-on, it is the most expensive component of the endpoint management stack for E3 customers.
Windows Autopatch is Microsoft's managed update service. It automates Windows quality updates, feature updates, driver updates, and M365 Apps updates using deployment rings, monitoring, and automated rollback. Autopatch addresses one of the most operationally expensive aspects of endpoint management: patch management, which typically consumes 15 to 25% of endpoint team capacity.
Licensing: Windows Autopatch is included in M365 E3 and E5 (and Business Premium) at no additional cost. It is one of the few endpoint management capabilities that doesn't carry a separate licence line item. However, there is a requirements nuance: Autopatch requires Intune enrolment (devices must be Intune-managed), Entra ID joined or hybrid joined, and Windows 10/11 Enterprise or Education. Devices running Windows Pro (common in SMB and BYOD scenarios) are not eligible for Autopatch through M365 E3. They require a Windows Enterprise E3/E5 upgrade, which is a separate add-on for organisations that purchased M365 Business Premium rather than M365 E3/E5.
The practical implication: if your device fleet is primarily Windows Enterprise (typical for organisations on M365 E3/E5), Autopatch is available at no additional cost and should be activated. If a portion of your fleet is Windows Pro (acquired through OEM, not upgraded to Enterprise through subscription), those devices need a licence upgrade before Autopatch can manage them.
Windows 365 represents a different model of endpoint management. Instead of managing a physical device, you manage a cloud-hosted virtual Windows desktop. The Cloud PC runs in Microsoft's cloud, is accessed from any device (thin client, personal laptop, tablet), and is fully managed through Intune. The licensing model is entirely separate from M365.
Windows 365 pricing: Per-user per-month subscription based on the Cloud PC configuration (vCPU, RAM, storage). Ranges from approximately $28/user/month (2 vCPU, 4 GB RAM, 64 GB storage, basic task worker) to $158+/user/month (8 vCPU, 32 GB RAM, 512 GB storage, power user/developer). These are significant per-user costs that sit outside the M365 subscription entirely.
What is included: Windows Enterprise licence, Intune management, Entra ID join, and Microsoft-managed infrastructure. What is not included: M365 productivity apps (user still needs an M365 E3/E5/Business subscription for Outlook, Teams, Word), Defender for Endpoint (requires separate licence), and Intune Suite capabilities (separate add-on if needed).
The endpoint management licensing implication: Windows 365 shifts endpoint cost from CapEx (physical device hardware depreciated over 3 to 4 years) to OpEx (monthly subscription), but does not eliminate the rest of the licensing stack. A fully managed Windows 365 Cloud PC user still needs M365 E3/E5 (for productivity apps + Intune Plan 1), potentially Defender for Endpoint Plan 2 (for EDR), and potentially the Intune Suite (for privilege management and remote help). The Cloud PC subscription replaces the hardware cost, not the management and security licensing.
The fully loaded endpoint management cost for a single user, every tier, every add-on, every security layer, reveals the true per-user economics that most organisations have never calculated as a unified number.
| Component | Included In | Add-On Cost (if on E3) | Add-On Cost (if on E5) |
|---|---|---|---|
| Intune Plan 1 (MDM, MAM, compliance) | M365 E3/E5 | $0 | $0 |
| Intune Plan 2 (Linux, specialised devices) | Not included | $4/user/mo | $4/user/mo |
| Intune Suite (Remote Help, EPM, Cloud PKI) | Not included | $10/user/mo | $10/user/mo |
| Defender for Endpoint P2 (EDR) | M365 E5 | $5.20/user/mo | $0 |
| Entra ID P2 (risk-based conditional access) | M365 E5 | $9/user/mo | $0 |
| Windows Autopatch | M365 E3/E5 | $0 | $0 |
| Windows Autopilot (standard) | M365 E3/E5 | $0 | $0 |
| Windows 365 Cloud PC (4 vCPU/8 GB) | Not included | ~$41/user/mo | ~$41/user/mo |
Scenario 1: M365 E3 base, maximum endpoint management. E3 ($36/user/mo) + Intune Plan 2 ($4) + Intune Suite ($10) + Defender P2 ($5.20) + Entra P2 ($9) = $64.20/user/month. The endpoint management add-ons ($28.20) cost 78% of the E3 base licence itself.
Scenario 2: M365 E5 base, maximum endpoint management. E5 ($57/user/mo) + Intune Plan 2 ($4) + Intune Suite ($10) = $71/user/month. E5 absorbs Defender P2 and Entra P2, so the add-on cost drops to $14/user/month. The E5 upgrade from E3 costs $21/user/month but absorbs $14.20/user/month of add-ons, making the net cost of all additional E5 capabilities just $6.80/user/month. For organisations that need Defender P2 and Entra P2, upgrading to E5 is almost always cheaper than buying the add-ons separately.
Scenario 3: Minimum viable endpoint management on E3. E3 ($36/user/mo) with Intune Plan 1 + Defender P1 + Entra P1 + Autopilot + Autopatch all included = $36/user/month. No add-ons. This covers basic MDM, MAM, next-gen antivirus, conditional access, zero-touch provisioning, and automated patching. For organisations without regulatory EDR requirements or specialised device needs, this is a complete endpoint management posture at no incremental cost.
If you need two or more of the security and compliance features included in E5 (Defender P2, Entra P2, Defender for Office 365 P2, Information Protection, eDiscovery), upgrading to E5 is almost always cheaper than buying add-ons individually. The E3-to-E5 uplift is approximately $21/user/month. Defender P2 ($5.20) + Entra P2 ($9) + Defender for Office 365 P2 ($5) alone equals $19.20 for just three add-ons. E5 includes all three plus Audio Conferencing, Power BI Pro, and advanced compliance. The incremental cost of all those additional E5 capabilities is effectively $1.80/user/month. See our E3 vs E5 comparison.
Before optimising, quantify. Map every endpoint management licence line item across your organisation: M365 base plan (E3/E5/F3/Business Premium), Intune tier (Plan 1 only, Plan 2, Suite), Defender tier (P1, P2, standalone), Entra tier (P1, P2), Windows 365 subscriptions, and any third-party endpoint tools. Calculate the blended per-user per-month cost. Most organisations discover the number is 30 to 50% higher than they assumed because no single team tracks the combined spend. Our EA Optimisation Service includes this cost mapping as a standard first step.
Not every user needs the same endpoint management stack. Persona-based licensing assigns the right tier to the right user based on role, device type, and security requirements.
| Persona | Typical Roles | Recommended Stack | Monthly Cost |
|---|---|---|---|
| Standard knowledge worker | Finance, HR, marketing, legal | M365 E3 + Defender P2 | $41.20 |
| Security-sensitive user | Executive, admin to sensitive data, IT admin | M365 E5 (or E3 + Defender P2 + Entra P2) | $57.00 (E5) |
| Developer / specialised device user | Software engineer, field tech, kiosk worker | M365 E3 + Intune Plan 2 | $40.00 |
| Frontline worker | Retail, warehouse, clinical | M365 F3 + Defender P1 (included) | $8.00 |
The savings from tiered licensing are substantial. A 5,000-user organisation with 3,000 standard workers, 500 security-sensitive, 500 developers, and 1,000 frontline workers pays approximately $196,000/month with tiered licensing vs $285,000/month with blanket E5 for all users. A 31% reduction. See our M365 cost guide for the full per-user analysis.
The Intune Suite ($10/user/month) is most valuable when it replaces third-party tools. Audit your current endpoint management tool inventory: if you are paying separately for remote support (TeamViewer, BeyondTrust), privileged access management (CyberArk EPM), certificate management (Venafi, DigiCert), or endpoint analytics (Nexthink, Lakeside), calculate the combined per-user cost of those tools. If the combined cost exceeds $10/user/month, the Intune Suite consolidation delivers savings plus tighter integration with the Microsoft stack. If the combined cost is below $10, or if your third-party tools serve use cases the Intune Suite doesn't cover, retain the existing stack.
Intune Plan 2, the Intune Suite, and Defender for Endpoint add-ons are all negotiable within the EA negotiation. Microsoft's list pricing is the starting point, not the final price. Particularly when the add-ons are part of a larger EA commitment that includes base M365 licences, Azure consumption, and other workloads. Bundle endpoint management add-ons into the EA renewal negotiation to secure 10 to 20% discounts on list pricing. The add-ons should never be procured mid-term at list through the Microsoft admin portal when an EA renewal is within 12 months. The renewal is the negotiation event. See our EA price protections guide and contract negotiation service.
Before purchasing any endpoint management add-on, audit what you already have. Organisations that have acquired other companies, inherited different M365 tiers, or purchased security products at different times frequently discover they already have licences for capabilities they are about to buy again. Run a licence entitlement audit across Intune, Defender, Entra, and M365 tiers to map exactly what each user is licensed for before ordering add-ons. Visit the Microsoft Knowledge Hub for additional resources, or use our Microsoft Assessment Tools for self-service analysis.
Intune Plan 1 is included in M365 E3, E5, Business Premium, F1, and F3. Plan 1 covers the core MDM, MAM, compliance, and conditional access integration that most organisations need. Intune Plan 2 ($4/user/month) and the Intune Suite ($10/user/month) are add-ons to any M365 plan. They are not included in E3 or E5. You only need to purchase these add-ons if you require the specific capabilities they include (Linux management, specialised devices, Remote Help, Endpoint Privilege Management, Cloud PKI). For most organisations, Plan 1 through M365 E3 is sufficient for standard endpoint management.
Yes. They serve different functions that work together. Intune manages the device (enrolment, configuration, compliance, application deployment). Defender for Endpoint protects the device (threat detection, EDR, vulnerability management). Intune can enforce that Defender is installed and running. Defender reports device risk signals to Intune and Entra conditional access. Without Intune, you cannot enforce security policies or manage device compliance. Without Defender, you cannot detect or respond to threats. They are complementary, not interchangeable. M365 E3 includes Intune Plan 1 and Defender Plan 1 (prevention only). M365 E5 includes Intune Plan 1 and Defender Plan 2 (prevention plus detection and response).
If you need two or more of the security and compliance features included in E5, the upgrade is typically cheaper. The E3-to-E5 uplift is approximately $21/user/month. Defender for Endpoint P2 alone is $5.20, Entra P2 is $9, and Defender for Office 365 P2 is $5. A combined $19.20 for just three add-ons. E5 includes all three plus Information Protection, eDiscovery, Compliance Manager, Audio Conferencing, and Power BI Pro. The incremental cost of all those additional E5 capabilities is effectively $1.80/user/month. For organisations on E3 that need advanced security, E5 is almost always the more cost-effective path. The key is to negotiate E5 pricing at EA renewal. Mid-term upgrades at list pricing change the economics. See our E5 security add-ons playbook for the detailed comparison.
No. Standard Windows Autopilot functionality (user-driven deployment, self-deploying mode, device registration, Autopilot device preparation) is included in Intune Plan 1, which is included in M365 E3/E5. There is no separate Autopilot licence. The only additional licensing arises when Autopilot workflows leverage capabilities from higher Intune tiers. For example, using Endpoint Privilege Management (Intune Suite) to configure granular admin rights during Autopilot provisioning. For the standard Autopilot use case (new device, user signs in, device self-configures), M365 E3 is all you need.
M365 E3 at $36/user/month includes Intune Plan 1, Defender for Endpoint Plan 1 (prevention only), Entra ID P1 (basic conditional access), Windows Autopilot, and Windows Autopatch. To add full EDR (Defender P2 at $5.20), risk-based conditional access (Entra P2 at $9), and the premium Intune capabilities (Intune Suite at $10), the total reaches $60.20/user/month. The $28.20 in add-ons costs 78% of the E3 base licence. For most organisations, the E5 upgrade at $57/user/month (which absorbs $14.20 of those add-ons) is the more cost-effective path. See our E3 vs E5 comparison.
No. Defender for Endpoint licences cover client endpoints (Windows, macOS, iOS, Android, Linux). Server protection requires a separate licence: Microsoft Defender for Servers, available through Azure Defender (Plan 1 at approximately $5/server/month, Plan 2 at approximately $15/server/month) or through the Defender for Endpoint Server add-on in the EA. This is a frequently missed licensing requirement. Organisations deploy Defender for Endpoint across their client fleet and assume it covers servers. It does not. Budget server protection separately.
For any organisation with 1,000+ managed endpoints, the endpoint management licensing landscape is complex enough that independent advisory consistently identifies savings and security gaps. The value comes from three areas: identifying add-on overlap (organisations frequently purchase standalone Defender, Entra, or Intune add-ons that are already included in their M365 tier), modelling the E3-vs-E5 breakeven (determining whether upgrading is cheaper than add-ons, by user persona), and negotiating add-on pricing at EA renewal (Intune Suite, Defender P2, and other add-ons are negotiable when bundled with the broader EA commitment). See our Microsoft Advisory Services for the complete engagement model.
Redress Compliance audits your full endpoint management licensing posture across Intune, Defender, Entra, Autopilot, and Autopatch. We map what you are paying, what you are using, what is redundant, and what is missing. Independent, fixed-fee, vendor-neutral.
Microsoft Advisory ServicesIndependent Microsoft licensing advisory. Fixed-fee engagement models. 100% vendor-independent.