A physical host with a TPM chip may be shipped with TPM feature enabled by default in the BIOS settings. If the ESXi is installed on the host with default values, the TPM will be enabled for the ESXi host.

TPM can be enabled on an ESXi host at any time. If the ESXi host is installed while TPM device is present in the physical host and the TPM feature is enabled in the BIOS settings, the ESXi host will install with TPM enabled.

If the ESXi host is installed with TPM feature disabled in the BIOS, TPM encryption can be enabled on the ESXi host later at any time.

Once TPM is enabled on the ESXi host, disabling TPM is not possible. Re-installing the ESXi host while the TPM feature is disabled in the BIOS is the only method to disable the TPM.

To check if TPM hardware Module is present on the ESXi host:

1. SSH to the ESXi host
2. Run the command:
   
   esxcli hardware trustedboot get
   
   Example
   
    esxcli hardware trustedboot get
   Drtm Enabled: false
   Tpm Present: true
   

To list the current encryption settings on the ESXi host:

1. SSH to the ESXi host
2. Run the command:
   
   esxcli system settings encryption get

Example 1 
   
   esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: false
Require Secure Boot: true

Note: If "Mode" is "TPM", then the TPM feature is enabled on the Host BIOS settings and TPM is enabled. 
   
   Example 2
   
   esxcli system settings encryption get
Mode: NONE
Require Executables Only From Installed VIBs: false
Require Secure Boot: false
   
   Note: If "Mode" is "None", then the TPM is not enabled on the ESXi host and on Host BIOS Settings.