Hello!
The theory question regarding Restricted Admin mode:
Theory 1 (there are many other documents stating remote access for local accounts must be forbidden) :
In the initial release of the Windows 8.1 and Windows Server 2012 R2 guidance, we denied network and remote desktop logon to Local account (S-1-5-113) for all Windows client and server configurations. This blocks all remote access for all local accounts.
Theory 2:

Am I getting it right that following the security best practice first introduced "In the initial release of the Windows 8.1 and Windows Server 2012 R2 guidance" means you can't use the "Highest protection level" available for RDP - the Restricted Admin mode?
Thank you in advance,
Michael