Perhaps it's an attempt to discourage sharing of rooms and thus sell more rooms?

Oh this is excellent. We've managed to disable it in a lot of places, but this should really help with some intransigent bits of legacy software that have proved hard to pin down.

The first time I saw a WPR trace with symbols on was enlightening. There's a deluge of information, different to what Procmon records. It's complexity and old, forgotten, 3rd party code all the way down.

Hmmm. I wonder what artefacts are left when smart card logon is used?

Though ideal is probably something like dedicated Tier 2 Jump boxes set to force RDP restricted admin mode, and the RDP port on the endpoints only accessible to those jump boxes using the Windows Firewall.

Logging in with a tiered account can still expose a Tier 2 cred to the device. For local tasks with no network access required, I think the LAPS account can be lower risk? Particularly if you add "Local Account" to the "Deny Access from the Network" policy and have LAPS set to rotate on use.

Credential Guard is great if you don't have compat issues (and have Enterprise licenses), and well worth the effort.

This also begs the question "Why are DCs trusted for unconstrained delegation in the first place and can we turn this off without impact?"

Yes, I suppose that does make it slightly different.

That said, I'd still say "Get someone woth a vaguely middle class sounding job to vouch for you" is pretty farcical as a validation method.

From memory they have a similar requirement for first passports and replacement of lost or stolen ones? If so that really ought to be abolished at the same time, and for much the same reasons.