A while back I investigate if there was any possibility to lock down a Windows 10 or 11 device that gets provisioned with Autopilot and enrolled in to Azure AD and Intune to only allow the user who enrolled the device to be able to logon to that specific machine.
If you have been doing application deployment with ConfigMgr there’s a high lightlyhood you’ve came a cross Powershell Application Deployment Toolkit (PSADT) which is tool that helps you create a framework for wrapping the installation process for applications and some technical benefits in the form of logging information, GUI for