Hello,
Really hoping someone can help provide some insight into how I can apply some higher security on our company hardware.
Currently, every user is admin of their own laptop, and can therefore make any changes they want to the hardware. We're looking to change this in the future however, I'm struggling to see how this can be done with synced M365 accounts. I've tested a laptop which has been setup with an M365 work account attached to it, and have then added a local account which I have made the admin account. When I download anything, it's not requiring the admin credentials to install.
I assume the reason is something to do with the fact that the main user account is a 365 account? Is there a way to restrict device access in AAD or Intune?
Any help will be much appreciated!