Remotely approve application installs when users are not local admins.

Question

Remotely approve application installs when users are not local admins.

Kris Mullenberg 0

I want to remove all users from being part of the local administrator group. This will prevent them from being able to install apps on their own. What we want to do is to have a means of granting permission for applications to be installed remotely and have a system of record (like an RMM tool or third party app if applicable) to remember this approval and allow other users in the same domain to do that install if required / requested. Does anyone know of an application / tool that will allow such a thing?

Anonymous

2024-08-30T01:49:17.4266667+00:00

@Kris Mullenberg Haven't heard for you for some time. If you have a chance to review this thread, please check if the following answer is helpful. If there is anything else we can help, please let us know. Thanks.
Kris Mullenberg 0 Reputation points

2024-08-30T12:29:16.5733333+00:00

Thank you for your comment. While it is a viable option for sure, I am un-certain at this time if it is the right fit for what it is that we are trying to accomplish. Not all applications an end user is trying to install are going to be available through the Microsoft / Entra / Intune portal like that to approve. It is an acceptable answer for most folks I am sure. Perhaps even THE answer for some that are only managing one environment. When you manage 30+ environments (all different) it is a bit difficult to solely use Intune to approve applications for users / environments.
Aleksandr Kolesnikov 641 Reputation points

2024-08-30T13:09:51.1833333+00:00
@Kris Mullenberg Indeed we have no full vision of your environment. But you can try to use Available section and assign specific group with users/devices.

Adding users to the group can be achieved via Access package or request on SD portal + custom script in azure automation.

Use dynamic groups for assignment base on domain/s.

Use filters if you have naming or category for different devices based on locations/departments/business units.

A lot of options can be proposed. Please let me know if something should be described in more details.

Best regards,

Aleksandr

If the response is helpful, please click "Accept Answer" and upvote it.

1 answer

Your answer

Anonymous

2024-08-30T01:49:17.4266667+00:00

@Kris Mullenberg Haven't heard for you for some time. If you have a chance to review this thread, please check if the following answer is helpful. If there is anything else we can help, please let us know. Thanks.
Kris Mullenberg 0 Reputation points

2024-08-30T12:29:16.5733333+00:00

Thank you for your comment. While it is a viable option for sure, I am un-certain at this time if it is the right fit for what it is that we are trying to accomplish. Not all applications an end user is trying to install are going to be available through the Microsoft / Entra / Intune portal like that to approve. It is an acceptable answer for most folks I am sure. Perhaps even THE answer for some that are only managing one environment. When you manage 30+ environments (all different) it is a bit difficult to solely use Intune to approve applications for users / environments.
Aleksandr Kolesnikov 641 Reputation points

2024-08-30T13:09:51.1833333+00:00

@Kris Mullenberg Indeed we have no full vision of your environment. But you can try to use Available section and assign specific group with users/devices.

Adding users to the group can be achieved via Access package or request on SD portal + custom script in azure automation.

Use dynamic groups for assignment base on domain/s.

Use filters if you have naming or category for different devices based on locations/departments/business units.

A lot of options can be proposed. Please let me know if something should be described in more details.

Best regards,

Aleksandr

If the response is helpful, please click "Accept Answer" and upvote it.

Answer 1

Hi @Kris Mullenberg

With Local user group membership policies in Endpoint Protection (Intune) you can manage the users of the built-in local groups on devices that run Windows 10 20H2 and later, and Windows 11 devices.

create-profile

As for applications you'd like to allow to be installed I think adding them as Available to the Company portal should cover your requirements.

https://learn.microsoft.com/en-us/mem/intune/apps/apps-deploy#assign-an-app

Screenshot of the available shortcuts in the Windows Company Portal

Best regards,

Aleksandr

If the response is helpful, please click "Accept Answer" and upvote it.

Share via

Remotely approve application installs when users are not local admins.

1 answer

Your answer