Editorial photograph of corporate laptops and mobile devices representing a Microsoft Intune managed endpoint fleet
Article · Microsoft · Endpoint Management

Microsoft Intune Plan 1 and Plan 2. The feature gap and the add ons.

Microsoft Intune ships as Plan 1, Plan 2, and the Intune Suite bundle. Plan 1 is inside Microsoft 365 E3 and E5. Plan 2 is a paid add on. Intune Suite adds Remote Help, Endpoint Privilege Management, Advanced Analytics, and the rest.

Read the Framework Microsoft Hub
$10Suite list per user
a leading industry analyst firmRecognized
Read the framework. · Independent. Buyer side. Reads in your browser. Read the framework →
Industry Recognized
500+ Enterprise Clients
$2B+ Under Advisory
11 Vendor Practices
100% Buyer Side Independent
Home Microsoft Hub Microsoft Intune Plan 1 vs Plan 2Microsoft Hub Microsoft Services EA Renewal Playbook 365 Optimizer Vendor Shield
Portrait placeholder for Morten Andersen, Co Founder
Written by Morten Andersen Co Founder · ex IBM, ex Oracle
PublishedOctober 15, 2025
Last updatedMay 21, 2026

Microsoft Intune is the cloud endpoint management product. Plan 1 covers core MDM and MAM. Plan 2 adds Microsoft Tunnel, advanced endpoint security configuration, and specialty device management.

The Intune Suite bundles Plan 1, Plan 2, and six add ons including Remote Help, Endpoint Privilege Management, and Advanced Analytics for 10 USD per user per month on top of the base plan.

Read this alongside the Microsoft knowledge hub, the Microsoft services page, the Defender for Endpoint Plan 1 vs Plan 2 article, the EA Renewal Playbook, and the Vendor Shield subscription.

Key Takeaways

What endpoint architects and procurement carry into the renewal

  • Plan 1 is inside E3 and E5. Standard MDM and MAM, no extra spend on knowledge worker estates.
  • Plan 2 is a paid add on. 4 USD per user per month list, gates Tunnel and advanced configuration.
  • Intune Suite stacks on Plan 1. 10 USD per user per month list, bundles six add on capabilities.
  • Frontline plan included. Intune for Education and Intune for Frontline are separate SKUs.
  • Audit pattern. Suite features touched without the SKU is the most common Microsoft audit finding.
  • Renewal lever. Lock the Suite price hold for the full EA term, default vendor position is annual reprice.

Microsoft Intune Plan 1 scope

Plan 1 is the core endpoint management product. Most knowledge worker estates already pay for it inside Microsoft 365 E3 or E5.

What Plan 1 actually covers

  • Mobile Device Management. iOS, Android, Windows, macOS enrollment, configuration, wipe.
  • Mobile Application Management. App protection policies on managed and unmanaged devices.
  • Compliance policies. Conditional access integration through Entra ID.
  • Windows Autopilot. Out of box experience for corporate Windows devices.
  • App deployment. Win32, Microsoft Store, line of business app distribution.
  • Configuration profiles. Wi Fi, VPN, certificate, email account provisioning at scale.

Plans that include Intune Plan 1 by default

  • Microsoft 365 E3. Knowledge worker baseline, Plan 1 included.
  • Microsoft 365 E5. Premium plan, Plan 1 included.
  • Microsoft 365 Business Premium. Small and mid market plan, Plan 1 included.
  • Enterprise Mobility plus Security E3. Standalone EMS bundle, Plan 1 included.

Microsoft Intune Plan 2 scope

Plan 2 adds advanced endpoint scenarios. Most enterprises that buy Plan 2 are running specialty devices or per app VPN through Microsoft Tunnel.

What Plan 2 unlocks against Plan 1

  • Microsoft Tunnel. Per app VPN for iOS and Android managed devices.
  • Specialty device management. Apple Vision Pro, HoloLens, Microsoft Teams Rooms, dedicated kiosks.
  • Advanced endpoint configuration. Customer managed certificates and advanced compliance.
  • Linux endpoint management. Ubuntu desktop enrollment and configuration.
  • Microsoft Configuration Manager Tenant Attach. Cloud attach for legacy on premises Configuration Manager estates.

Five personas that justify Plan 2

  1. Healthcare clinical estate. Specialty device fleet plus per app VPN.
  2. Manufacturing field engineer. Ruggedized device fleet plus Microsoft Tunnel.
  3. Retail point of sale. Dedicated kiosk plus tenant attach to legacy Config Manager.
  4. Mixed reality pilot. HoloLens fleet plus zero touch enrollment.
  5. Linux developer estate. Ubuntu fleet enrollment outside the EMS scope.

Intune Suite components

The Intune Suite is the bundle Microsoft sells most aggressively. The Suite bundles Plan 1, Plan 2, and six add on capabilities at a 30% to 40% bundle discount against buying the add ons separately.

Intune Suite component matrix

ComponentStandalone list per user per monthInside the SuiteStandalone need
Intune Plan 1Inside E3 and E5IncludedNone if E3 or E5
Intune Plan 2$4IncludedSpecialty device or Tunnel
Remote Help$3.50IncludedHelp desk attended support
Endpoint Privilege Management$3.50IncludedStanding admin removal
Advanced Endpoint Analytics$3.50IncludedAnomaly detection and resource analytics
Microsoft Cloud PKI$2.00IncludedCloud certificate authority
Enterprise App Management$2.00IncludedThird party app patching
Intune Suite bundled price$10Plan 1 base required

The Suite versus a la carte question

The Suite is roughly 35% cheaper than buying every add on separately. The break even sits at three components. Three or more components, buy the Suite. One or two, license the add ons standalone.

List pricing and bundle math

Microsoft publishes list prices for every Intune SKU. The EA discount band on Intune sits a touch below the Microsoft 365 base plan band.

Indicative list pricing and discount bands

SKUList per user per monthEA discount bandTypical landed price
Intune Plan 1 standalone$83% to 10%$7.20 to $7.75
Intune Plan 2 add on$45% to 12%$3.50 to $3.80
Intune Suite$105% to 15%$8.50 to $9.50
Remote Help standalone$3.503% to 10%$3.15 to $3.40
EPM standalone$3.503% to 10%$3.15 to $3.40

Audit traps on Intune licensing

Microsoft Intune audits look for Suite features touched without the Suite SKU. Remote Help and EPM are the two biggest sources of audit findings on a knowledge worker estate.

Five common Intune audit findings

  1. Remote Help session run without the SKU. Audit flags the session count, the help desk team did not have the Suite.
  2. EPM rule deployed without entitlement. Standing admin removal policy active on a fleet, no Suite license.
  3. Advanced Analytics dashboard opened. A single dashboard view registers the feature, no Suite license to back it.
  4. Tunnel deployment on Plan 1. Microsoft Tunnel running on iOS, no Plan 2 add on attached.
  5. Specialty device enrolled. HoloLens or Vision Pro enrolled, no Plan 2 license on the user.

Buyer side defense moves

  • Pull the feature audit report. Intune admin center has a feature usage report, run it monthly.
  • Lock Suite features behind a role. RBAC scope on Remote Help, EPM, and Advanced Analytics.
  • Document the disable date. If a Suite feature is turned off, capture the change with a timestamp.
  • Reconcile the entitlement. Suite license count must match the user count touching Suite features.
  • Pre price the gap. If a Suite feature ran without coverage, use the discount band above before Microsoft quotes a settlement.

Renewal levers on Intune

The Intune line item lands inside the broader Microsoft Enterprise Agreement. Six levers move the bill at renewal.

Six renewal levers procurement carries

  1. Suite price hold. Lock the Suite price for the full EA term, default vendor position is annual reprice.
  2. Step down to Plan 1. Drop seats from Suite back to Plan 1 mid term with no penalty.
  3. True down right. Reduce Suite seat count at anniversary, not only at renewal.
  4. Add on price hold. Lock Remote Help and EPM standalone price across the term for the residual estate.
  5. Discount floor. 5% to 15% on the Suite, default vendor floor is 0%.
  6. Pilot ramp. Staged Suite adoption with quarterly true up, not a flat ramp.

What to do next

The seven step checklist puts the Intune line item on a clean licensing footing before the next EA renewal.

  1. Inventory every endpoint. Count by OS, persona, current plan.
  2. Run the feature usage report. Surface Remote Help, EPM, Analytics, Tunnel touches.
  3. Map the Suite versus a la carte choice. Three or more components, Suite. Otherwise, standalone add ons.
  4. Score the Plan 2 personas. Specialty device, Tunnel, Linux fleet.
  5. Pre price the gap. Use the discount bands above.
  6. Lock the renewal levers. Suite price hold, step down, true down.
  7. Document the position. Procurement memo, CFO sign off, EA amendment language ready.

Frequently asked questions

What is the difference between Intune Plan 1 and Plan 2?

Plan 1 covers core MDM, MAM, Windows Autopilot, and app deployment. Plan 2 adds Microsoft Tunnel per app VPN, specialty device management for HoloLens and Vision Pro, advanced endpoint configuration, Linux fleet enrollment, and Configuration Manager tenant attach. Plan 1 is inside Microsoft 365 E3 and E5. Plan 2 is a 4 USD per user per month paid add on.

What is included in the Intune Suite?

The Intune Suite bundles Plan 1, Plan 2, Remote Help, Endpoint Privilege Management, Advanced Endpoint Analytics, Microsoft Cloud PKI, and Enterprise App Management. The list price is 10 USD per user per month on top of the base plan. The Suite is about 35% cheaper than buying every component standalone.

When should an enterprise buy the Intune Suite versus standalone add ons?

The break even sits at three components. An estate that needs Remote Help, EPM, and Plan 2 saves money on the Suite against the three standalone SKUs. Estates that only need one or two add ons should license those standalone and avoid the broader Suite spend.

Does Intune Plan 2 cover Microsoft Tunnel?

Yes. Microsoft Tunnel per app VPN for managed iOS and Android devices is a Plan 2 feature. A Tunnel deployment on Plan 1 only is a common audit finding. The 4 USD per user per month Plan 2 add on covers Tunnel plus the broader specialty device scope.

What are the most common Microsoft Intune audit findings?

Remote Help sessions without the Suite, EPM rules without the SKU, Advanced Analytics dashboards touched without entitlement, Microsoft Tunnel running on Plan 1, and specialty devices enrolled without Plan 2 are the five most common findings. The Intune admin center surfaces all five through the feature usage report.

How does Redress engage on Microsoft Intune licensing?

Redress runs the Intune feature audit, the Suite versus a la carte choice, and the EA renewal position inside the Vendor Shield subscription and the Renewal Program. Every engagement is led by a former Microsoft commercial executive on the buyer side, with no Microsoft kickback on the table.

How Redress engages on Microsoft Intune discipline

Redress runs Microsoft Intune advisory inside the Vendor Shield subscription, the Renewal Program, the Benchmark Program, and the Software Spend Assessment.

Read the related Microsoft hub, the benchmarking page, the about us page, the locations page, and the contact page.

Score your Intune Suite exposure in under five minutes.
Open the 365 Optimizer →
White Paper · Microsoft

Download the Microsoft EA Renewal Playbook.

Buyer side reference on the Microsoft EA renewal sequence. Suite versus a la carte, Intune feature audit, Defender stacking, and the six clause renewal levers.

Independent. Buyer side. Written for CIOs, CFOs, and procurement leaders carrying Microsoft Enterprise Agreements. No Microsoft kickback. No conflict on the table.

Microsoft EA Renewal Playbook

Open the white paper in your browser. Corporate email only.

Open the Paper →
$10
Suite list per user
$4
Plan 2 list per user
$8
Plan 1 list per user
$2B+
Under advisory
100%
Buyer side

Remote Help sessions running without the Suite license is the single most common Microsoft audit finding on a 5,000 endpoint estate. Lock the Suite features behind a role before the help desk opens the first session.

Head of Endpoint Engineering
European retail group
More Reading

More from this practice.

Microsoft Hub →
Microsoft EA Renewal Playbook
Microsoft · Whitepaper
Microsoft EA Renewal Playbook
Suite, ramp, and add on price hold.
20 min read
Defender for Endpoint P1 vs P2
Microsoft · Article
Defender for Endpoint P1 vs P2
Endpoint security plan choice.
18 min read
M365 E3 vs E5 vs F3
Microsoft · Article
M365 E3 vs E5 vs F3
Plan choice across personas.
20 min read
Microsoft Services
Microsoft · Service
Microsoft Services
How Redress engages.
8 min read
Microsoft Knowledge Hub
Microsoft · Hub
Microsoft Knowledge Hub
Master Microsoft reference.
22 min read
Editorial photograph of enterprise contract negotiation strategy

License the Microsoft Intune estate cleanly. Independent advisors, end to end.

We have run 500+ enterprise clients across 11 publishers. Every engagement starts with one conversation.

Contact Us Vendor Shield

Microsoft intelligence, monthly.

Microsoft Intune audit findings, Suite ramp benchmarks, EA renewal cadence, and Suite versus a la carte math from every Microsoft engagement we run on the buyer side.