With Intune Suite now included in E5 (and partly in E3), I imagine a lot of you are wondering what you are now getting and how much of it you will actually use.

In this post I’ll look at what’s included for both E3 and E5 users and then run through what each does and how useful they can be.  This is all my personal opinion of course and what works or doesn’t work for one person doesn’t necessarily mean the same for others.

I will describe what they do, some links to Microsoft docs and a look at what other 3rd party options you have which you may be using and want to save money on, or you may decide works better for your org.

Let’s first start with what is included in your E3 and E5 before looking at each in detail:

E3 includes:

• Remote Help
• Advanced Analytics (including device query)
• Microsoft Tunnel for Mobile Application Management
• Specialty device management
• Firmware-over-the-air (FOTA) updates

E5 adds:

• Endpoint Privilege Management (EPM)
• Enterprise Application Management (EAM)
• Microsoft Cloud PKI

Obviously E5 adds more stuff outside of Intune suite so don’t just use this to decide if it is worth it, there are a lot of other advantages in there.

E3 and E5

Remote Help

A must have in any support persons armory is a reliable way of accessing the other persons computer and Remote Help is Microsoft’s answer to that.

Let’s address the elephant in the room first though, no iOS support.  Keep that in mind.

When first launched, it lacked Unattended access and was no better than Quick Assist (until that became a risk) or a Teams call.  Now it’s due to be added on Windows soon, it holds its ground better.  Yes, it’s missing file transfer and remote command line access, but on these licenses, you have Live Response within the Defender portal anyway.

If you don’t have anything in place now, this is native to Intune, won’t cost you anything and works well enough to get by.  For those with existing solutions, give Remote Help a try.  Best case it works fine for what you need and you can save some money, worst case you’ve spent a few hours testing.

Competitors in this space: Screen Connect, Beyond Trust, TeamViewer, Ninja, loads of others (is Dameware still a thing)?

Official docs: https://learn.microsoft.com/en-us/intune/remote-help

Advanced Analytics

I make no secret that this is my favourite tool in Suite as it really helps support teams elevate their standing.

It’s basically a free DEX tool, gives insights into battery health, app crashes, device reliability, startup times, everything a user is likely to complain about.

This gives you as an IT person 2 superpowers:

1. You can prove a user is a liar
2. You can call users having actual issues before they report them and look like a hero.  “We have noticed your machine is taking a long time to boot, can we run some fixes on it for you”

The model based scores can help you look at your hardware lifecycle and prioritise those with issues, especially useful with RAM being the most expensive thing in the world right now (written during the great AI RAM crisis of 2026)

As if that isn’t enough, this part of the suite also includes Device Query and Multi-Device Query which let you create a Properties Catalog to grab even more information from your devices and then query with KQL

This should in my opinion be top of your list of things to test

Competitors: Nexthink, ControlUp

Links: Endpoint Analytics: https://learn.microsoft.com/en-us/intune/endpoint-analytics/?pivots=intune

Advanced Analysis (Device query etc.): https://learn.microsoft.com/en-us/intune/advanced-analytics/

Microsoft Tunnel for MAM

This is quite a niche one.  If you have mobile applications which need access to on-prem resources and you want to be able to install and run those apps on personal, unmanaged devices, Microsoft Tunnel is your answer.

For those who need it, game-changer, but that market is pretty small these days

Competitors: Pretty much any VPN

Links: https://learn.microsoft.com/en-us/intune/device-security/microsoft-tunnel/overview

Specialty Device Management

From niche, to more niche.  If you’re one of the 10 people managing Hololens, you probably know this exists already, but for those running Surface Hubs, this is a way to manage those devices using Intune.  Why you needed a different license to manage Microsoft hardware which was already expensive enough is beyond me, but here we are.

As I said, you are probably aware already, but if you are managing them, at least that’s one less additional license to buy now.

Competitors: Strangely enough none

Links: https://learn.microsoft.com/en-us/intune/device-management/specialty-devices

FOTA Updates

Firmware-Over-the-Air Updates, shortened to FOTA because we love an acronym in IT

This is oddly enough a way to update firmware on some Android devices remotely.  At present it only supports Samsung and Zebra devices and is really for those hospital or shop-floor type Zebra devices, not so much for your CEO at home.

Pretty useful if you manage those, again a little bit niche, but I imagine a lot more of you than Hololens users.

Competitors: Other MDMs such as SOTI and Zebra tools

Links: https://learn.microsoft.com/en-us/intune/device-updates/android/manage-fota

E5 Only

Endpoint Privilege Management (EPM)

Another excellent tool available, EPM is a way to manage those pesky apps which need elevated rights to launch, usually because of some update mechanism built in.  No longer do you need to give the users admin rights, or mess with file and registry permissions.  Just whitelist the app and let them elevate that and nothing else.

When first released it was a bit rough and ready, but it’s now a very solid product with direct integration into the right-click menu.  Deploying in Support Approved mode will save having to manually create the rules as well as you can create from the requests.

Downside is it’s Windows only, if you need macOS, Admin by Request is your best option (it’s also free up to 25 devices)

Competitors: Admin By Request is probably the main one here

Links: https://learn.microsoft.com/en-us/intune/epm/overview

Enterprise App Management (EAM)

Managing third party app updates is something no-one wants to handle and this was Microsoft’s response.

A fantastic idea, but poorly implemented.  I know, working for Robopack makes me biased, but even so, this just isn’t great.

The app list looks reasonable, until you look at them, very dev focused and probably less than 50% of what you actually need:

https://learn.microsoft.com/en-us/intune/app-management/deployment/enterprise-app-management#apps-available-in-the-enterprise-app-catalog

It still can’t do icons either

If you have nothing, this is obviously slightly better than that, but it won’t replace your existing tools

Competitors: Robopack, Patch My PC, Pckgr, Action1

Links: https://learn.microsoft.com/en-us/intune/app-management/deployment/enterprise-app-management

Cloud PKI

Many of you are still running on-prem CA servers for cert based authentication to wireless networks and all sorts of other things.  Cloud PKI lifts that CA server and moves it directly into Intune and does a pretty good job of it.

BUT, that’s all it does, you’ll still need a radius of some sort and they often come with something included

There are limits on the number of certificates (check the limitations at the bottom of the page linked below), but they did finally add a Delete button

It does what is says, but is that enough?

Competitors: Scepman, RadiuSaas, most Wi-Fi hardware suppliers

Links: https://learn.microsoft.com/en-us/intune/cloud-pki/

 

---

Hopefully this has been useful, comments always welcome!