@Mayday, Thanks for posting in Q&A. From your description, it seems you have question with Azure AD roles and the account protection profile.
In general, the local admin is an administrator on a local windows device. It will have permission to install application on this device. I notice you get error "need elevated permission". It seems the app needs more permission. In this situation, you need to choose "Run as administrator" to elevate the permission to higher. If we need to deploy the app to a batch device, you can try to deploy it via Intune. Here are some app types we can deploy via Intune for your reference:
https://learn.microsoft.com/en-us/mem/intune/apps/apps-add
Meanwhile, for the Application Administrator role, it is a role can create and manage all aspects of app registrations and enterprise apps. For Intune Administrator, it can manage all aspects of the Intune product in Intune portal. Here is a link with more details:
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
In addition, for account protection profile, when we choose user selection type as "Users", it selects the users and user groups from your Azure AD. And it only supports for Azure AD joined devices. For domain user, we use "Manual" to configure. Here is a link with more details:
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.