You cant reliably store secrets in tpm and expect it to work after an os update. Windows is using workarounds during windows update to avoid breaking bitlocker.

https://learn.microsoft.com/en-us/windows/security/hardware-...