Remover Privilegios de Administración de Usuarios Finales

NicolasFernandezSanz, I think the quickest way would be exploring whatever you already have at your disposal. Microsoft MDM (mobile device management) is the option we're using now for exact same purpose and it works well. You can read more about it https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune, but from the high-level perspective, it solves the problem you mentioned and a lot more, like:

• Data encryption enforcement
• Remote data wiping
• Device tracking
• App distribution/updates control/app installation policies
• Password policy enforcement
• Device inventory
• Location services
• Controlling personal devices used for work purposes (BYOD)
• Allowing data access from the Intune-controlled devices only
• Etc.

To enable Intune, you would need to purchase the licenses for every user (in O365). Enterprise Mobility + Security E3 is the cheapest and in my opinion, you won't need more (unless you already use some other O365 service and for cost optimization, you may want to consider some other packages).

Once the users are already part of O365 (and, subsequently AD), the enrollment is quite straight-forward. Device enrollment for Windows 10 is well-described https://docs.microsoft.com/en-us/mem/intune/enrollment/quickstart-enroll-windows-device (at the same time, the other platforms, like Mac OSX are also supported).

Please let me know if you have any follow-up questions and I'd be happy to answer them. If the answer helps, please kindly like it and mark it as an 'answer'.