how do I find that my TPM is vulnerable? is there some xml/json with list of versions and models? if I understand correctly, correct way is to flash new firmware, wipe and initialize TPM and reissue WHfB identity?

Additionally, you have to manually delete those vulnerable public keys from AD, which is not obvious at all. There is a script for local checking of vulnerable TPMs, or you can check event logs, see portal.msrc.microsoft.com/en-us/security… There is also an undocumented ADFS key auditing option.