@Liam Fermoyle, Thanks for posting in Q&A.
In fact, when the device is configured automatic enrollment and go to Access work or school to do Azure AD join, the device will be enrolled into Intune automatically. And the enrolled user will be added into local administrators group by default.
To remove it, you can refer to the link in Daniel Bradley's reply to modify the local administrators membership to only keep the users you want.
Fo the device enrolled in the future; you can choose Autopilot enrollment which has the option to choose the user's account type as a standard user when configure autopilot enrollment profile. For more details, you can read the following link:
https://learn.microsoft.com/en-us/mem/autopilot/profiles
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.