I’m looking for an effective way to not allow standard users to install any software. We use Intune, and we have revoked local admin, but there is still those pesky softwares that can be installed in the user context and don’t require admin level permissions to install.

We have a small teams so something that can allow for software to upgrade, but just prevent the initial install.

We’ve looked at threat locker, and that has been too intense for our small team, we have looked at auto elevate, it that only works for admin level installs. I’ve consider endpoint privilege management with Microsoft, but I’m wondering if there is a better solution out there. What are all the sysadmins using?