Came in one morning to reports that nobody can access a particular Windows Server 2012R2 RDS server. To keep from being too wordy, I took some time and narrowed it down to just an issue with that one particular server, not RDS itself. As I kept digging I came across numerous instances of the following Schannel Event 36870 error on the effected RDS host, which I could then reproduce by attempting to make an RDP connection to the server experiencing the issue.
Now this led me down quite a number of SSL certificate rabbit holes, but the winner came from this stackoverflow article, which referenced this Microsoft blog post, in which scenario 2 was my solution. I restored default permissions to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, restarted the box, and wha-lah! RDP was functional again!