Windows uses Group Policy (which isn't particularly secure for many reasons) while Linux uses configuration files (e.g. udev, AppArmor, stuff in /etc like fstab) in conjunction with file permissions. However, you can go way farther by compiling your own kernel that has certain functionality removed (e.g. USB mass storage).

Managing lots of configuration files/scripts across many thousands of servers, desktops, devices, etc is a long-solved problem. Most enterprises use Ansible or similar.

In almost every way, managing many thousands of Linux desktops is much simpler and more straightforward than Windows. If you're using Ansible playbooks, you can keep everything nice and tidy in a single place and everything you'd ever want to customize is managed via a plaintext file you can modify with your editor of choice.

You can organize them however you want or even use a GUI to change stuff (if you pay for Ansible Enterprise or whatever it's called... Or use one of the FOSS alternatives).

Managing Linux desktops at scale really isn't much different than managing Linux servers at scale.