Use this template because it already has the Server Authentication policy enabled. To create the new template, open the Certificate Templates console and duplicate the Computer template. In my lab, I’ve created a ‘Remote Desktop Computer’ certificate template and enabled it to be autoenrolled via Group Policy. This article has a great walk-through of the entire process and more: RDP TLS Certificate Deployment Using GPO. Some articles will walk through this configuration and recommend removing the Server Authentication policy however, the certificates will then not work on non-Windows clients. This was key for OS X clients - both of these policies must exist.
To configure a certificate for use with Remote Desktop Services (or RDP into any Windows PC), you’ll need to create a new certificate template and enable both the Server Authentication and the Remote Desktop Authentication application policies.
Here are the client certificate warnings on various Microsoft Remote Desktop clients, including OS X. Client Warnings for Untrusted Certificates While I may only be configuring certificates in my lab environment, there’s not much effort required to remove these certificate warnings. To get OS X clients to accept the certificate takes a little extra configuration not required on Windows clients. An environment with an enterprise certificate authority can enable certificate autoenrollment to enable trusted certificates on the RDP listener, thus removing the prompt.
When connecting to a Windows PC, unless certificates have been configured, the remote PC presents a self-signed certificate, which results in a warning prompt from the Remote Desktop client. Windows has supported TLS for server authentication with RDP going back to Windows Server 2003 SP1.