secure configurations and deployment/management (system center)

a few questions in relation to master images of standard builds for client devices and servers

1) do any elements of system centre allow for creation of images for quick deployment of an image onto new servers/laptops, if so can the name of the actual module of system centre which handles this be provided?

2) We are looking in cyber defence best practices which requires master images (e.g. of OS/apps to be applied to windows client and server devices) are held securely. If system centres (e.g. SCCM or SCOM?) image /deployment tool is used by an organisation, how can you get assurances that the master 'images' are held securely and secure from unauthorised access or modification, e.g. in what format are they stored, and how could it be accessed on the server(s) running system centre?

3) the cyber defences also suggest that you push out your standard image using which ever deployment facility of choice, but then also recommends the use configuration management tools to ensure any deviations made post deployment to the settings that should remain as per the standard image on the users machine are alerted to admins or a process is put in place to ensure settings are automatically redeployed back in line with those set in the standard image? is this a feature of system centre also, if so can you provide details ?

4) finally, the cyber defence best practice require using secure images/templates for your standard build for windows clients/servers, but are there templates out there which represent these mystery hardened versions of these OS/platforms? if so where can they be accessed and integrated with your standard image?