Hey,
What you probably want to take a closer look at is Autopilot. This gives you as an IT admin the capability to choose if the user that enrolls the device should be Administrator on that machine or a Standard user.
https://learn.microsoft.com/en-us/mem/autopilot/enrollment-autopilot
When you are creating your "autopilot profile" you can select "user account type" to predetermine if the user should be a admin or standard user on that machine.