Actually you only need to install the root CA certificate on the non-domain joined machined so that they trust the certificate on the RDP server. You can do that pretty easily via PowerShell.