Custom CAs for TPM on windows VMs

The context for this ask is that we are supporting a ~40K VM migration over 4 years with a roughly 80/20 split on Windows/non-Windows VMs. with strict requirements and low tolerance for self-signed certificates and untrusted/self-managed CAs.

We will eventually have difficulties in migrating these VMs with MTV as it doesn't support migrating machines with an enabled TPM. We have worked through crafting some Ansible automation to flip the TPM settings off and get us to a state to migrate it, however we lack the functionality to natively move the machine with it enabled.