InformationThis setting controls whether or not Windows Installer should use system permissions when it installs any program on the system.
Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders.
Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure.
The recommended state for this setting is: Disabled.
Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities.
None - this is the default behavior.
SolutionTo establish the recommended configuration, set the following Device Configuration Policy to Disabled:
To access the Device Configuration Policy from the Intune Home page:
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Custom)
Enter a Name
Configure the following Setting
Name: <Enter name>
Description: <Enter Description>
Data type: Integer
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Note #2 This recommendation can also be applied via the Device restrictions/App Store/Install apps with elevated privileges profile.
Disabled. (Windows Installer will apply the current user's permissions when it installs programs that a system administrator does not distribute or offer. This will prevent standard users from installing applications that affect system-wide configuration items.)