This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 49%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
I want to remove all users from being part of the local administrator group. This will prevent them from being able to install apps on their own. What we want to do is to have a means of granting permission for applications to be installed remotely and have a system of record (like an RMM tool or third party app if applicable) to remember this approval and allow other users in the same domain to do that install if required / requested. Does anyone know of an application / tool that will allow such a thing?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
@Kris Mullenberg Haven't heard for you for some time. If you have a chance to review this thread, please check if the following answer is helpful. If there is anything else we can help, please let us know. Thanks.
Thank you for your comment. While it is a viable option for sure, I am un-certain at this time if it is the right fit for what it is that we are trying to accomplish. Not all applications an end user is trying to install are going to be available through the Microsoft / Entra / Intune portal like that to approve. It is an acceptable answer for most folks I am sure. Perhaps even THE answer for some that are only managing one environment. When you manage 30+ environments (all different) it is a bit difficult to solely use Intune to approve applications for users / environments.
@Kris Mullenberg Indeed we have no full vision of your environment. But you can try to use Available section and assign specific group with users/devices.
A lot of options can be proposed. Please let me know if something should be described in more details.
Best regards,
Aleksandr
If the response is helpful, please click "Accept Answer" and upvote it.
With Local user group membership policies in Endpoint Protection (Intune) you can manage the users of the built-in local groups on devices that run Windows 10 20H2 and later, and Windows 11 devices.
As for applications you'd like to allow to be installed I think adding them as Available to the Company portal should cover your requirements.
https://learn.microsoft.com/en-us/mem/intune/apps/apps-deploy#assign-an-app
Best regards,
Aleksandr
If the response is helpful, please click "Accept Answer" and upvote it.