I'm on a bit of an insane quest to make all of my Windows 10/11 and Linux RDP services use proper TLS certificates just because I *really& hate self-signed certs. Xrdp is easy enough, but Windows is a bit more tricky.

https://techcommunity.microsoft.com/blog/askds/remote-desktop-services-enrolling-for-tls-certificate-from-an-enterprise-ca/4137437 gives the best advice, but I don't know if it works when not joined to a domain.