Enable RDP to take remote of Intune managed devices, Firewall blocking the connection

I'm working with a customer to enable RDP on some AAD joined, Intune managed devices in the company. This is the configuration I'm testing at the moment:

- Enable RDP on device: Configuration Profile, Administrative template:

Allow users to connect remotely by using Remote Desktop Services - Enabled
Require user authentication for remote connections by using Network Level Authentication - Disabled

- Allow RDP/3389 through Windows Firewall: Device Configuration Profiles - Endpoint protection

Firewall rules - Allow TCP/3389

- Add users in local "Remote Desktop Users" group:

Endpoint security - Account protection - Local user group membership. Add users (not AAD groups) in "Remote Desktop Users" group.

There is a couple of drawback from this configuration. 

- Managment - I dont want this configuration to all Windows clients in the company. An AAD groups with devices must be maintained.

- I my testing, adding AAD group in the Endpoint security - Account protection - Local user group membership policy is not working, only users can be added.

- All users added in the policy "Local user group membership", are added in the local group "Remote Desktop Users" on all devices assigned to this policy.