Win 8.1 "Failed to get certificate" since 2107 upgrade

[PH25]

Since upgrading to Endpoint Configuration Manager 2107, our Win 8.1 laptops have not been communicating with Config manager.
It looks like they upgraded to the new client, then stopped communicating.  We do not use PKI certificates and since the upgrade, I believe I've made the correct changes to use enhanced http.

The problem laptops show Client Certificate: None, rather than Self-Signed.

Some reading has led me to believe that this is something to do with a new feature of 2107 that states "When you update the site and clients to version 2107, the client stores its certificate from the site in a hardware-bound key storage provider (KSP). This KSP is typically the trusted platform module (TPM) at least version 2.0".

Examples of errors in client logs are -

Failed to get certificate. Error: 0x80004005

Failed to set ACL to key, 0x80090029

The primary key is not found from provider Microsoft Platform Crypto Provider

Does anyone have any idea how to fix this, so that clients speak to config manager again?
Some forum posts suggest using a reg key HKLM\Software\Microsoft\CCM\DWORD:UseSoftwareKSP=1, but I don't want to apply that without properly understanding the implications.