I have question about your best practices for organizations.
You have only Azure AD joined - Windows 10 computers, with Intune MDM management. Only one user is using Windows 10 PC device, and has local admin rights. Additional Azure AD users are deployed as local administrators to the device. There is also Bitlocker encryption and secure boot implemented.
What if user forgets the password (or user is no longer active in organization), and device goes offline (example network card driver issue), how can other users / Azure AD users, login to the device, to fix the issue on local windows?
Possible solution would be to deploy always additional local windows account, with admin rights, but this always has sign-in disabled (since Intune enforces this).