I seem to have disabled something but I'm not sure where. Need a check its not my OIB policies

[O365-Zende]

Hi, self-taught admin, small company etc

I have been slowly adding OIB into our stuff, and turning off my old policies which has been going fine.
I already had a lot of the settings, just not in a regulated way.

However, I have hit a snag
Our techs are allowed to have admin rights (yes I'm aware it's bad) the reason is so they can do things on the fly without restrictions. BAU comes first...

Any I was testing LAPS, which I'm rolling out slowly as I wanted to remove the non-tech staff from that pool (something better than nothing as far as risk goes)

I downgraded a test machine to standard acc (Win11 Pro) and now I can't install anything unless its from the Windows Store. Something is blocking me.
The message at the top is "The app you're trying to install isn't a Microsoft verified App"
Now I have tried to stop this through LAPS, but our local users do use software as well, just not the techy stuff. but LAPS fails to allow it which makes me wonder if its globally set?

So is it something I have accidentally set through OIB? Or is the global setting somewhere else, Entra, M365, Intune etc?
From my googling, it always comes back to a user setting can't seem to find a global option, so is that correct?

Can anyone point me in the direction of how to change this on a global scale not per machine basis?
And if it is within the OIB settings or just a windows feature?

Many thanks

Ive attached my current policy list from OIB just in case that helps.

Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2) - v3.7 Win - OIB - ES - Defender Antivirus - D - AV Configuration - v3.3 Win - OIB - ES - Defender Antivirus - D - Security Experience - v3.3 Win - OIB - ES - Defender Antivirus Updates - Ring 1 - Pilot - v3.4 Win - OIB - ES - Defender Antivirus Updates - Ring 2 - UAT - v3.4 Win - OIB - ES - Defender Antivirus Updates - Ring 3 - Production - v3.4 Win - OIB - ES - Encryption - D - BitLocker (OS Disk) - v3.7 Win - OIB - ES - Windows Firewall - D - Firewall Configuration - v3.1 Win - OIB - ES - Windows Hello for Business - D - WHfB Configuration - v3.2 Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6 Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1 Win - OIB - SC - Defender Antivirus - D - Additional Configuration - v3.6 Win - OIB - SC - Device Security - D - Audit and Event Logging - v3.7 Win - OIB - SC - Device Security - D - Config Refresh - v3.2 Win - OIB - SC - Device Security - D - User Rights - v3.7 Win - OIB - SC - Device Security - U - Windows Sandbox - v3.4 Win - OIB - SC - Device Security - U - Windows Spotlight and Org Messages - v3.0 Win - OIB - SC - Internet Explorer (Legacy) - D - Security - v3.1.1 Win - OIB - SC - Microsoft Accounts - D - Configuration - v3.2 Win - OIB - SC - Microsoft Edge - D - Security - v3.7 Win - OIB - SC - Microsoft Edge - D - Updates - v3.6 Win - OIB - SC - Microsoft Edge - U - Extensions - v3.1 Win - OIB - SC - Microsoft Edge - U - Password Management - v3.0 Win - OIB - SC - Microsoft Edge - U - Profiles, Sign-In and Sync - v3.0 Win - OIB - SC - Microsoft Edge - U - User Experience - v3.7 Win - OIB - SC - Microsoft Office - D - Updates - v3.0 Win - OIB - SC - Microsoft Office - U - Config and Experience - v3.6 Win - OIB - SC - Microsoft OneDrive - D - Configuration - v3.2 Win - OIB - SC - Microsoft OneDrive - U - Configuration - v3.0 Win - OIB - SC - Microsoft Store - D - Configuration - v3.4 Win - OIB - SC - Microsoft Store - U - Configuration - v3.3 Win - OIB - SC - Windows Update for Business - D - Delivery Optimisation - v3.0 Win - OIB - SC - Windows Update for Business - D - Reports and Telemetry - v3.0 Win - OIB - SC - Windows User Experience - D - Feature Configuration - v3.1 Win - OIB - SC - Windows User Experience - D - Settings Sync - v3.7 Win - OIB - SC - Windows User Experience - U - Copilot - v3.6

[PhilipSiborgs]

Can you check if you have the LAPS option configured for your tenant? If not you get strange results and LAPS won't work either.
It's in Entra under Devices > Device Settings > Enable Microsoft Entra Local Administrator Password Solution (LAPS)

[O365-Zende]

Yes thats enabled

I used LAPS to downgrade the account but it doesn't seem to like the Microsoft Store option.

[incedIT]

Really you should be blocking installs using application whitelisting such as Applocker or WDAC and you should add allowed apps to Intune and set as available to all users. they can then use the Company Portal app (set this as a required install) to single-click install any apps they need.

As for your issue, LAPS is only used for UAC, so I think another policy is causing your behaviour. If you run anything as admin, does UAC appear with the LAPS username prefilled and you can enter the LAPS password to authorise? If so, LAPS is working ok.

When I have issues I go to the SETTINGSOUTPUT.md in the github repo and search for keywords to find settings that might be related.

[incedIT]

Run the IntuneManagement app and connect to your tenant, Bulk menu, Document Types, leave all types selected, in the Output tab note down the Document Name path and click Start - it will output your tenant's settings to the same type of file. This will show you all the settings you have in your tenant so you can search there too in case a non-OIB policy is affecting it.

[O365-Zende]

I'm guessing you mean this?

https://github.com/Micke-K/IntuneManagement

The path is to an .exe file for a driver update from Dell, will it still work the same to an .exe?

Many thanks for the help

[incedIT]

That's the one, it's the tool recommended by this project to import the policies but has the added benefit of exporting configs to markdown. What I am helping you to do is export your Intune config in its entirety so you can search the exported file for keywords that would be used in policies that may restrict your software installs. From there you can work out which policies you may need to unassign/adjust. It's a trial and error process but it's what I do when troubleshooting issues on Intune connected devices.

[incedIT]

Separately from my message above which is general troubleshooting advice, if you are trying to update Dell drivers then I would install Dell Command Update. Your message sounded like you were installing a specific driver manually but DCU can help update drivers automatically to save you time and hassle. Once installed, it can be ran by standard users to update Dell devices.

[O365-Zende]

That was just an example I was using to test it fails on any .exe.

I'll check the tool though I'm not familiar with it particularly, I'm beginning to suspect this setting may not be in Intune at all.
This could have been set yrs ago.. (M365, Entra, Azure) The only reason I found this issue was I downgraded an account to test LAPS
I've just set up a new machine and it doesn't have the issue. As a new installation with Autopilot is Admin.

But thanks for the help ill keep looking.