MicrosoftI never understood why Microsoft never updated ADCS's default Policy Statement Extension to include either All Issuance Policies or at the very least the Key Attestation ones. The ability to create hardware-bound certificates should have become more popular by now.
I recommend enabling the "TPM Key Attestation: Endorsement Certificate (Medium Assurance)" option. It's low maintenance. It gives you that extra assurance that a genuine TPM signed your certificates.
Microsoft's current documentation on Key Attestation: https://learn.microsoft.com/en-gb/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation
Microsoft's convenience bundle of trusted TPM Root and Intermediate CA certificates: https://go.microsoft.com/fwlink/?linkid=2097925
A helpful reference is here:
https://www.gradenegger.eu/en/include-the-issuance-policies-for-trusted-platform-tpm-key-attestation-in-a-certification-body-certificate/
Another Microsoft blog featuring more of the steps: Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 3: Key Attestation | Microsoft Community Hub
