A physical host with a TPM chip may be shipped with TPM feature enabled by default in the BIOS settings. If the ESXi is installed on the host with default values, the TPM will be enabled for the ESXi host.
TPM can be enabled on an ESXi host at any time. If the ESXi host is installed while TPM device is present in the physical host and the TPM feature is enabled in the BIOS settings, the ESXi host will install with TPM enabled.
If the ESXi host is installed with TPM feature disabled in the BIOS, TPM encryption can be enabled on the ESXi host later at any time.
Once TPM is enabled on the ESXi host, disabling TPM is not possible. Re-installing the ESXi host while the TPM feature is disabled in the BIOS is the only method to disable the TPM.
To check if TPM hardware Module is present on the ESXi host:
esxcli hardware trustedboot get
esxcli hardware trustedboot get
Drtm Enabled: false
Tpm Present: true
To list the current encryption settings on the ESXi host:
esxcli system settings encryption get
Example 1 esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: false
Require Secure Boot: true
Note: If "Mode" is "TPM", then the TPM feature is enabled on the Host BIOS settings and TPM is enabled. esxcli system settings encryption get
Mode: NONE
Require Executables Only From Installed VIBs: false
Require Secure Boot: false