M365 E5 from July 2026: The Third-Party Application Gap

Your M365 E5 license is about to include more endpoint management capabilities. The question worth asking before July 1 is not what Microsoft is adding — it is whether what they are adding covers the application management problem you actually have. 

From July 2026, E5 includes Endpoint Privilege Management, Enterprise Application Management, and Microsoft Cloud PKI. Pricing changes take effect July 1. Feature rollout begins October 2026. E5 customers pay the new pricing from July — but the features are not available until October. 

EAM covers a defined catalog of pre-packaged applications. That solves the packaging problem for those applications. It does not solve the operational lifecycle problem: version drift across the full estate, staged rollout control, deployment governance, rollback handling, and proving update posture to auditors. That work — across every application outside Microsoft’s catalog — remains yours. 

What the July 2026 Change Actually Includes 

The Intune Suite — previously a $10/user/month add-on — consolidates into the M365 bundle. E3 gains Remote Help, Advanced Analytics, and Intune Plan 2. E5 gains all of that plus Endpoint Privilege Management, Enterprise Application Management, and Microsoft Cloud PKI. 

For E5 customers already paying for the Intune Suite separately, the Microsoft Tech Community announcement is a net gain — the separate license cost disappears. The operational question is whether EAM covers enough of the application estate to matter. 

What EAM Actually Covers — and Where It Stops 

EAM reduces the time IT teams spend packaging and maintaining common applications. For applications in Microsoft’s catalog, deployment and update management flows directly through the Intune console without manual packaging. That is a genuine operational improvement for those applications. 

The operational boundary is the catalog itself. Security Risk Advisors noted the catalog contained 933 applications at the time of their analysis — growing, but a defined set. Applications outside that catalog still require standard Intune Win32 deployment: manual packaging, installer logic, detection rules, and ongoing update management. 

The cost of staying manual on those applications is not just IT time. Every unpatched version in the estate is an open CVE exposure window. Packaging backlogs create version drift that builds silently — different versions running across endpoints, inconsistent security posture, and no single view of what is actually current. That is the operational application lifecycle problem EAM does not address. 

What EAM Does Not Cover 

The applications outside Microsoft’s catalog are not a marginal edge case. They include the business-critical and sector-specific applications that represent the majority of most organizations’ CVE exposure: custom line-of-business applications, industry-specific tools, legacy applications with non-standard installers, and applications that simply have not been added to the catalog yet. 

EAM also remains primarily Windows Win32. As Move2Modern noted, third-party platforms typically offer broader catalogs across more niche software and often with macOS coverage — EAM has no current plans to expand platform coverage. 

Driver lifecycle management is outside both EPM and EAM scope entirely. Driver updates, model-specific firmware, and hardware vendor packages remain unaddressed by the new E5 inclusions. 

Where CapaOne Fits After July 2026 

The licensing change clarifies the third-party application management question — it does not resolve it. CapaOne covers what the new E5 inclusions leave open: the full application estate outside Microsoft’s catalog, driver lifecycle, and least-privilege governance available today rather than October. Here is how each product fits. 

Application Manager: The Full Application Lifecycle 

Application Manager covers the complete operational application lifecycle across the full estate — including every application outside Microsoft’s EAM catalog. Automated updates eliminate packaging backlogs. No-code packaging for business applications removes scripting dependency. Staged rollout control, deployment posture evidence, and version drift visibility give IT teams the governance layer that turns application management from reactive maintenance into a controlled, auditable operation. Driver lifecycle management — vendor-certified, model-aware updates across the hardware estate — is handled through Provision Manager, which neither EPM nor EAM addresses. 

Privilege Manager: Available Now, Not October 

Privilege Manager operates today. For organizations that cannot wait until the October 2026 feature rollout to establish least-privilege governance, Privilege Manager delivers policy-based elevation via existing Entra ID groups, full audit logging for NIS2 and governance requirements, and integration with Application Manager for pre-approved elevation workflows — without standing local admin. 

For organizations planning to use Intune EPM from October, CapaOne Privilege Manager runs alongside Intune EPM — the two are complementary within a broader endpoint governance model. 

The Evaluation IT Managers Should Run Before July 

The licensing change creates a natural decision point. Before July 1, it is worth mapping three things: 

• Which applications in your estate fall inside EAM’s catalog? These are the applications where EAM delivers immediate operational value from October. Identify them now so you can plan the transition. 

• Which applications fall outside the catalog? These require continued manual management or a third-party solution. Application Manager covers this gap — automated updates, posture visibility, and no-code packaging for the full estate. 

• When do you need least-privilege enforcement? If the answer is before October, Privilege Manager is operational today. If the answer is October or later, plan for EPM rollout and evaluate whether CapaOne Privilege Manager adds governance depth that EPM does not natively provide. 

• What is your driver management approach? Neither EPM nor EAM addresses driver lifecycle. Provision Manager closes that gap with automated, vendor-certified driver updates across hardware models. 

The July 2026 licensing change is a useful moment to map what your endpoint estate actually needs — what EAM covers, what it does not, and where additional automation applies. Book a demo to see how Application Manager and Privilege Manager work alongside the new E5 inclusions — or start a free trial and validate coverage across your own application estate.