After having put accounts in protected groups, you are not able to login to target servers via RDP, this worked before when users were not part of the Protected groups.

PAM all versions

There is no support for login, Protected users do not use NTLM login and therefore neither RDP Applet does not work 

New Kerberos feature will be available in 4.3.1 scheduled for mid-late February 2026 that will fix this issue

Meanwhile you can try to use RDP Proxy, see the part of RDP Proxy configuration on this article
Configuring Protected Users to rotate passwords and log in to remote Windows servers in CA PAM