Use TPM Endorsement Key to unlock certificates, deployment pagkages, etc? (Win10 deployments)

I’ve got a few scenarios, but let’s take the simplest: I’d like to be able to send a server certificate and key to a distant box; I’d like to have the ability to decrypt the container and therefore install the cert&key controlled by using the TPM EK, rather than by sharing a PFX password.

FWIW, the targets are all Win10, and my cert toolchain is usually openssl on Windows.