Your M365 E5 Licence Doesn't Make Your Endpoints Secure
Your M365 E5 licence doesn't make your endpoints secure. It makes them managed. There's a difference - and it's a difference that shows up in breach reports, not dashboards.
I've spent the better part of 27 years watching organisations confuse "we have a tool" with "we have a strategy." M365 is a phenomenal productivity suite. But the security story? It's a patchwork of add-ons, separate portals, and zero automation that leaves gaps an attacker would be grateful for.
This is the security-focused companion to my earlier piece on M365's unified endpoint management gaps. If that one was about operational cost and complexity, this one is about attack surface.
The Gaps That Matter
Real-Time Visibility - The Fundamental Divide
This is the big one. Intune operates on a check-in model - devices sync every eight hours by default. Between check-ins, a device can drift out of compliance and keep accessing corporate resources. You push a policy change and wait. Did it apply? Is the device compliant? You won't know until the next sync.
Workspace ONE operates in real time. Push a configuration change and see the result immediately. Device drifts out of compliance? Access revoked now, not at the next check-in. That's the difference between a policy and a posture - and in security terms, it's the difference between knowing your estate is secure and hoping it probably is.
For a SOC team responding to an incident at 2am, "check back in eight hours" isn't an answer.
No Workflow Orchestration
Intune lets you define compliance policies and offers remediation scripts and proactive remediations for basic tasks. But it lacks a visual workflow orchestration engine. A device falls out of compliance, a vulnerability is detected, a configuration drifts - Intune can run simple remediation scripts, but complex multi-step workflows require manual intervention. There are no event-driven workflows, no cross-platform self-healing, and no low-code orchestration comparable to dedicated platforms.
Microsoft is starting to address this with a Vulnerability Remediation Agent in Intune - currently in limited preview - that uses Security Copilot to prioritise CVEs and suggest remediation steps. It's a step forward, but it requires E5 licensing, consumes Security Copilot SCUs (adding to your Copilot spend), and depends on Microsoft Defender Vulnerability Management data. Crucially, it provides AI-assisted triage guidance rather than automated remediation workflows. A human still has to action each suggestion.
Workspace ONE's Vulnerability Defence feature takes a different approach - automated vulnerability detection, patch identification, and remediation queued for approval, bringing the entire detect-to-fix workflow into a single console without requiring additional AI compute costs. When your attack surface is thousands of endpoints, cutting the time from detection to approved remediation from days to hours isn't a nice-to-have. It's the only way the maths works.
Certificate-Based Authentication - Zero Trust's Missing Foundation
If you're serious about Zero Trust, you're eliminating passwords. That means certificate-based authentication for Wi-Fi, VPN, email, and device identity. In the Microsoft world, Cloud PKI is part of the Intune Suite add-on at $10 per user per month - and that's for the whole bundle, not just certificates. From July 2026, it's included in E5.
Microsoft Cloud PKI is a genuine cloud CA - no on-prem infrastructure, HSM-backed keys, full certificate lifecycle management. It's one of the better things in the Intune Suite. But it's SCEP-only, limited to six CAs per tenant, and only works with Intune-enrolled devices.
Workspace ONE takes a different approach. Rather than bundling a CA, it provides native certificate-based authentication through Workspace ONE Access, with flexible integration to any certificate authority - Microsoft ADCS, AWS Private CA, or third-party providers. You still need a CA somewhere, but you're not locked into one vendor's PKI. For organisations with existing certificate infrastructure, that flexibility matters.
Patch Management Beyond Windows Update
Intune handles Windows Update policies reasonably well. But complex patching - third-party applications, rapid zero-day response, cross-platform consistency - needs more than update ring policies. And crucially, Intune has no automated remediation workflow. You detect the gap, then you fix it manually.
The Forrester Total Economic Impact study for Workspace ONE UEM (January 2026) found patch compliance improved from 80% to 90% within the first month. Unpatched endpoints are the number one vector for known-vulnerability exploitation. That improvement translates directly to reduced attack surface - driven by automation, not headcount.
Cross-Platform Security
Intune is a Windows management tool that also does other platforms. macOS gets reasonable coverage. Linux, ChromeOS, and Android get varying degrees of management depth - and the security controls on non-Windows platforms are noticeably thinner.
Workspace ONE provides consistent security posture management across Windows, macOS, Linux, iOS, Android, and ChromeOS. Same policies, same real-time enforcement, same reporting. If your organisation runs a mixed estate (and in 2026, who doesn't?), that consistency matters.
Security Visibility - Death by a Thousand Portals
With M365, your security data lives in the Defender portal, Intune, Entra ID, and Purview. Four portals, four data models, four sets of alerting logic. Your SOC analysts spend half their time correlating across consoles rather than actually investigating threats.
Workspace ONE consolidates compliance state, threat data, and posture information into a single real-time view. When a device fails a compliance check, triggers a threat alert, and the user's risk score changes - you see it in one place, not three. And you can act on it immediately.
SCCM - The Legacy You Can't Kill
Many organisations still run ConfigMgr alongside Intune because Intune can't handle complex Windows management scenarios. That's on-premises infrastructure with its own attack surface - servers to patch, databases to secure, network ports to manage.
Workspace ONE can replace those complex scenarios without falling back to on-prem infrastructure. One less thing in your environment for an attacker to find.
The Cost of Completing Microsoft's Security Story
Let's look at what it costs to close these security gaps with Microsoft's own add-ons, for 5,000 users:
| Security Capability | Microsoft Add-On | Monthly Cost (5,000 users) |
|---|---|---|
| Endpoint Protection | Defender for Endpoint P2 | £26,000 |
| Certificate Auth (Cloud PKI) | Intune Suite | £10,000* |
| Security Copilot Overage (est.) | SCU consumption | £1,200 |
| Total additional security spend | £37,200+/month |
*From July 2026, the Intune Suite (including Cloud PKI, Remote Help, Enterprise App Management, and Advanced Analytics) is included in M365 E5 at no additional cost - but with a licence price increase from $57 to around $60-65/user/month. E3 gets a subset (Remote Help, Advanced Analytics, Intune Plan 2). Even with Intune Suite bundled, the remaining gaps - Defender for Endpoint P2, Security Copilot SCUs, and the capabilities Microsoft simply doesn't offer (workflow orchestration, cross-platform automation, real-time remediation) - still add up.
That's on top of your E5 licence. And even after spending it, you still don't get real-time visibility, workflow orchestration, or a single console. You get more portals and more manual processes.
Workspace ONE delivers real-time compliance enforcement, automated patching, certificate-based authentication, and cross-platform security from a single platform at £18.55 per user per month. The Forrester TEI study found a 17% reduction in breach risk exposure - driven by consistent configurations, automated patching, and continuous enforcement. Not from bolting on products, but from a platform designed as a security tool from the start.
Gartner's 2026 Critical Capabilities for UEM rated Omnissa highest across all four use cases - frontline, remote work, regulated industries, and platform breadth.
The Uncomfortable Truth
Microsoft builds excellent productivity software. They're very good at selling security as a layer on top of that productivity software. But bolting security onto a productivity suite isn't a security strategy. It's hope with a budget.
The real question isn't "does Intune do compliance?" - it does. The question is: when something goes wrong, how fast can you see it, and how fast can you fix it? If the answer involves waiting for a check-in cycle and raising a ticket, you've already lost time an attacker won't give you back.
If you want to model this against your own environment, the Digital Workspace Planner lets you compare the multi-vendor path against a unified approach with your own numbers.
Your CISO doesn't need another portal. They need a platform that treats security as the default, not the upsell.