I'm unaware of clients losing 8021.X settings during an upgrade or Windows 10 to the mentioned versions.
For a broader view on this subject, what I see happening is that access to supporting systems to get a client in the domain and compliant to the policy (like domain controllers, PXE boot servers, AV/MDM management, software distribution) are allowed regardless the 802.1X authentication.
Some customers use specific staging ports for that, others mark the clients in the endpoint database as known corporate machines and put them in a specific VLAN+role that allows PXE netboot and domain joins, and some allow traffic to the domain controller as a bypass on the guest VLAN. What works best for you is dependent on the exact situation. Likely, these options will give inspiration for an acceptable solution in your case.