@RIZKI RIVAI, Thanks for posting in Q&A. For standard user, we suggest remove users from local admin group. You can configure Local user group membership profile and use Add (Replace): action for local administrators group to only include the admins you want.
For any new devices to enroll into Intune, we can consider using Autopilot enrollment method. In Autopilot enrollment profile, we can configure User account type with value Standard. Which means the enrolled user is only a standard user on the enrolled devices.
https://learn.microsoft.com/en-us/autopilot/tutorial/user-driven/azure-ad-join-workflow
https://learn.microsoft.com/en-us/autopilot/tutorial/user-driven/azure-ad-join-autopilot-profile
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.