In the Symantec Endpoint Protection Manager [SEPM], Symantec Endpoint Client [SEP] Properties shows  TPM device = "No TPM device"  even if the system has has TPM enabled.

SEP 14.X

As per procmon logs, impersonation was likely failing during TPM detection and service initialization. Impersonation was not originally a hard requirement, but this changed later as part of improvement effort. 
Impersonation is not required for TPM detection, hence removed the hard dependency and orignal logic was restored.

Additionally, if impersonated user is a limited user, then impersonation works however the Crypto API calls fail which results in not detecting the TPM device. 
These two operations don't have to be tied together, so a fallback mechanism was added to detect the TPM device even if the Crypto API calls fail.

The fix is targeted in upcoming release.

This document will be updated once we have the exact details of fix release build.