Blocking User Mode Installation

Hi Experts,

I have a Hybrid Azure AD Join environment with all Windows devices enrolled in Intune.

I have removed Domain Users from the local Administrators group on all devices via an on-premises Group Policy from the Domain Controller (Restricted Groups / Local Admin configuration).

But what I observe is users are still able to install application in user move no elevation, how can I block this so that when get get a prompt only IT team can enter their credentials which will allow install.

Currently apps are being installed in Appdata folder under user profile.

Thanks