RDP

Terminal server at school! Increased security and functionality?

In the question , we discussed the main points of terminal access in the school. However, during beta exploitation, new problems have surfaced that need to be addressed.
1. Authentication Methods
By default, RDP uses an insecure login+password scheme. Is it possible in Windows Server 2019 to use login+private_key (like SSH) or login+biometrics for RDP instead of login+password? Is it possible to use OpenID based OAuth for RDP RemoteApp?
2. Alternative to chroot for windows
If you run a program in RemoteApp mode (for example, PhotoShop or Microsoft PowerPoint), you can get full access to the C:\ drive. Writing without administrator rights will not work, but reading system files is already enough for a security risk. Is it possible to somehow hide system files (and personal administration files) in RemoteApp mode?
3. Versions are new, the problem is old
The terminal server has moved from Windows Server 2012 to Windows Server 2019. However, the 2019 server is stuck on version 1809, which is outdated. Is it possible to somehow put a version with support for RDP10, WSL2 and Hyper -V + VMware? Preferably 20H1.

How to solve all security issues?