Mike, that "loop" you refer to is due to the fact that Policy is configured for both password viewing and auto-connect.
When a password is "checked-out" for viewing, it cannot be used simultaneously for auto-connect purposes in PAM until the password is checked-in;
Same is true for the inverse, if fInheritAutoLogon were set to 1 then we could auto-connect via PAM - but no one would be able to view the password simultaneously until the auto-connect session is terminated and the password is checked back in.
So to get around this issue, we re-configured the policy: we removed only the target account from the RDP Access method (but left RDP selected) whilst leaving Password viewing unchanged.
In so doing, users can now check-out the password for viewing and use PAM's RDP applet to connect and record the session.
We may be able to add the member servers to a device group and enable the options to "Provide Credentials for Always Prompt of Password" on the group.