Quick HowTo/reminder to myself on how to activate TPM on ESXi hosts connected to vCenter.
The smoothest way is to configure the servers before they are connected to vCenter: Otherwise they must be removed from the inventory and re-added.
The BIOS security settings must be correctly configured:

Select System Security.

TPM Security must be turned On.

Under the TPM Advanced Settings menu, TPM2 Algorithm Selection must be set to SHA256.

Back in the System Security menu, Secure Boot must be Enabled.
Boot the server and add it to vCenter.
Enable the SSH service and log on to the server. Check the TPM status:
# esxcli system settings encryption get | grep Mode
Mode: NONE
Set the mode to TPM:
# esxcli system settings encryption set --mode TPM
Get the encryption keys and store them somewhere safe, like a password manager:
# esxcli system settings encryption recovery list
Recovery ID Key
-------------------------------------- ---
{....} ....
In vCenter, you’ll see a warning for each host, about the encryption key backup status. This last step was what that warning was about. If you’re confident the recovery ID and Key for each host is securely stored, reset the warning to green. The hosts are now utilizing their TPM capability.