Hi Miner,
As I know, if we have a TPM and an EK (Endorsement Key) cert, then this AikCertEnrollTask task will be triggered to attempt to enroll for an attested AIK (Attestation Identity Key - https://www.trustedcomputinggroup.org/wp-content/uploads/IWG-AIK-CMC-enrollment-FAQ.pdf) cert from a Microsoft cloud CA. Part of the DNS name in the URL is constructed from information in the EK cert supplied by the hardware manufacturer. If the enrollment attempt is successful, and the AIK cert is not consumed by any application, the task will never be triggered again. If the attempt fails, it will be triggered will varying amounts of delay up to several times, then it will give up and never be triggered again.
The AIK cert is placed in a pool to be made available to an application that wishes to use key attestation to make service access credentials non-portable. If the AIK key and cert are consumed by an application, then the task will be triggered again to replace the AIK key and cert in the pool.
I think if you manually disable the task, it will not be re-enabled any more. Try to test on your side and feedback the result to us.
Bests,