Just had a third party pen-test report against our VMSS that we use for RDP. They report that the top certificate is self-signed, and we should use a corporate one. From here: https://learn.microsoft.com/en-us/azure/virtual-desktop/network-connectivity#connection-security - "By default, the certificate used for RDP encryption is self-generated by the OS during the deployment. If desired, customers may deploy centrally managed certificates issued by the enterprise certification authority."

Their rationale is to protect against man-in-the-middle attacks. I'm happy to defer to them on this issue. I've discovered we already have a paid-for cert that is, apparently, *.our.domain.com, although it expires in August. Q1 - how to validate this? Q2 - come August, how to renew this?

I've also discovered what appears to be a decent guide: https://intranetssl.net/securing-rdp-connections-with-trusted-ssl-tls-certificates/ however,

Q3 - it starts out saying "Suppose, that a corporate Microsoft Certificate Authority is already deployed in your domain..." - What if I can't suppose this? The first part of this guide sounds like I'm duplicating the Computer certificate. Shouldn't I be using the paid-for one?

Q4 - Does anyone know of a better guide(s) for our scenario?

Please note, I may be in a different time-zone to you so might be a while in responding, apologies!