Tested on Windows 10 Professional and Windows 2008 R2, so this approach should work on Windows 2012 R2 etc. too. Actually these steps must be done manually.
A: If you have own signed SSL certificate then continue with part B:, this part describes usage of free "Let's Encrypt" certificate generated by TSplus SSL tool.
1. start AdminTool GUI > Security > SSL Certificate Toolkit
2. File > Open Keystore File > ***TSPlus_installation_folder***\Clients\webserver\cert.jks (default password: secret)
3. Right click on Private Key(jwts) > Export > Private Key and Certificates > PKCS#12 > OK (default password: secret, after next password fields should be empty)
4. save your *.p12 certificate file somewhere on Desktop for fast access.
5. continue with part B:
1. start mmc.exe > File > Add/Remove Snap-In > Certificates > Add > Computer Account > (default!) Local Computer *** > Finish > OK
2. Console Root > Certificates (Local Computer) > Personal >> Right click > All Tasks > Import > Next > Browse >
> (choose extension "Personal Information Exchange") *.p12 YOUR CERTIFICATE FILE > Next > (your pass, empty or you should remember it) >> (Allow "Mark this key as exportable" and "Include All Extended Properties") > Next
> (Automatically select the certificate based on the type of certificate) Next > Finish (press F5 to refresh if key did not yet appear under Personal\Certificates)
2.2 Right click on that new key entry > All Tasks > Manage Private Keys >Add "NETWORK SERVICE" with allowed "READ" rights. It is not always necessary step since on some systems this entry gets added automatically but if not add it manually.
3. Double click on freshly imported private key/certificate for your domain (usually it has the name of your signed domain under "Issued to")
4. Click on Details >> scroll down > Thumbprint > as example: ab 42 96 33 fb 19 28 65 30 a7 e1 63 2d 3f d2 96 70 1c 50 67> NOTICE IT SOMEWHERE
5. create with Notepad file "myreg.reg" and save there following text according to "Thumbprint" example above (remember the SSLCertificateSHA1Hash"=hex:ab,42,96,33***" is example, replace it by own values!!! Same in attached example_myreg.reg)
6. now execute that "myreg.reg" file and add so this information to registry, if you don't do this step then next step 8. will fail with error!!!
7. start cmd.exe with Administrator rights!
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="ab429633fb19286530a7e1632d3fd296701c5067"
(now after execution it should report > Property(s) update successful > but if you missed some char or not added information from step 5. to registry then this step will fail with error)
(remember the SSLCertificateSHA1Hash="ab429633***" is example, replace it by own values!!!)
Congratulation, now whenever you call mstsc.exe > your_domain.com then the new signed certificate will be served to client by RDP server and so avoid annoying security message!