I will suggest to look at cloud laps. If you still want to elevate permissions for the standard user then consider EPM.
Restricting Software Installation by End Users in M365 – Best Practices
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 21%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Yuuta Shimamura
0
Reputation points
We would like to restrict end users from installing software on their devices and only allow installation when explicitly approved by an administrator.
One method we are considering is to create two groups on the admin side: a Normal User group and a Local Admin group. End users would be moved to the Normal User group by default, and only temporarily added to the Local Admin group when they request permission to install software.
However, this would require reassigning all users to the Normal User group initially, which could be complex and time-consuming.
Is there any feature in Microsoft 365 or Intune that can help us manage this more efficiently? We would appreciate any recommendations for a better approach.
Thank you in advance.