Hi, SFC and DISM commands require a true admin account - the user has to be in Local Admin group. I think end users (non-IT admins) should not need this access though. There is a KB article that guides on how to configure it . KB0020072. Creating a script an elevating it is better approach rather than the CMD approach 

The Default is that CMD and powershell does not allow child processes to match.

You can create elevation rules for DISM.exe and SFC.exe as individual commands or add the allow child processes on CMD and powershell.

The KB is wrong. my sample below is a standard command prompt, with individual rules inplace for DISM.exe
 

I’d recommend reviewing KB0021144 (“Unable to run DISM.exe from elevated PowerShell - Error: 740 Elevated permissions are required to run DISM”) for an explanation as to what’s happening as well as a potential workaround you can use, especially if you’re using Designated Users.

As @Jens Hansen pointed out, you could also create an elevation rule specifically for DISM which should work inside a standard CMD or PowerShell instance as well.

You should ensure that this is only privileged users who gain access to these command.

I typically split the Recommended Restricted Functions into two groups. Typically BT consider the High Flexibility for Developers and IT. though I do find that a little too much for Developers.

I do not see a need for Dev users to tamper with Bit-locker, Diskpart and loads of other functions that is typically only IT functions.

You can use the designated user option on the message and create additional message similar to Support helpdesk message, but add the Dev users, IT staff as designated users for but only add the apps that should be shared.
 

Again there is so many options for this.