A lot of TPMs are “fTPM”s, which are implemented in something resembling software. It’s an open question whether the hardware in question has usable roots of trust, but a lot of TPM applications don’t actually require endorsement. And some servers have plug-in TPMs.

Of course, many critical components on a motherboard and CPU verify their firmware using non-post-quantum keys, which is another issue.