Dell XPS 15 7590; Windows 11 22H2; problems when secure boot is enabled

Your situation, like the one of any other professional using this laptop, is exactly what make me astonished about how much Dell is ignoring this issue. It's just ridicoulus. 

Interesting…. I actually had Secure Boot set to “Audit Mode” instead of completely disabled. Apparently it needs to be completely disabled for it to boot properly. To me, this definitely indicates a problem on Dell’s side. It shouldn’t be blocking anything when it is set to “audit mode”. The fact that SB has to be completely disabled indicates the way Dell is handling SB altogether is not jiving with the boot process used by the new Windows version. In other words, it’s not actually blocking the boot. It simply isn’t able to work with the boot process for the new Windows 22h2 version at all.

I disabled Secure Boot, and attempted to install the update again. The system still locked up at the Dell logo screen while loading the OS.

I thought this was determined to only be an issue with Secure Boot. Do the Virtualization settings also need to be disabled? If so, that’s an even bigger mess….

Secure Boot is the issue. It has to be disabled completely. You can’t just put it into audit mode.

As for what Secure Boot does, there are many things that it is required for, not to mention the benefits of the feature on its own. It is required for VBS, but VBS can be enabled on any system that supports it (Windows 10/11 Enterprise, Windows Server 2016+, not just Hyper-V VMs). VBS provides a lot of protections around cached credentials, and other things. We worked very hard to get TPMs and Secure Boot enabled on many of our VM Hosts and client endpoints so that we could enable VBS on them. Disabling Secure Boot basically disables and negates all of that.

Also, I think Secure Boot is required for Bitlocker. I haven’t rebooted since I successfully installed the 22h2 update to see if I’m prompted to enter my Bitlocker password, but I wasn’t prompted for my BitLocker password when my system booted up following the completion of the 22h2 update installation.

Just to be clear, all that needs to be disabled to get the update to install and the system to boot up correctly is Secure Boot. It must be DISABLED, though. Placing it into audit mode will not suffice.

While disabling Secure Boot simply requires unchecking a box in the BIOS, the implications of disabling it are quite large. Just about every security enhancement these days requires secure boot. I have already verified that VBS is no longer running on my laptop after disabling it. The system is no longer protected from changes being made to the boot process, either. Plus, BitLocker (I think)…. I’m sure there are plenty of other security features that depend on Secure Boot, too. Those are just the ones that we use.

If you have Secure Boot disabled, and you are having issues with a fresh install of Windows 11 22h2, you must have something configured incorrectly on your VM. Also, you mentioned both VMWare and Hyper-V. These are two different virtual environments. I don’t know what might be wrong with your virtual environment, or with the setup of your new VM, but I don’t think it is related to this issue. If you are using VMWare (and not Hyper-V), make sure you have the latest ESXi updates installed. There was a bug that was patched a month or two back that fixed issues with Secure Boot causing issues with Windows Server 2022. It could also be causing issues with the latest version of Windows 11.

I have Secure Boot DIsabled.   I installed the Beta build from ISO, Sandbox vGPU still didn't work.   I updated to Canary Build 330?   Got Sandbox vGPU working.  I am using Vmware no issues.   I have WSL working.   Next I am going to enable Microsoft Virtual Platform.

I want to find is what fails if Secure Boot is disabled?   Secure Boot is required for VBS (Virtualization Based Security) but if VBS is only required for Hyper-V, then all the Credential Guard and Device Guard stuff is a bunch of nonsense. (there are some tough filters around here).

But I am not an expert and would love to hear the correct answer.

I think the issue is the boot platform key (PK) that Secure Boot uses no longer matches what is required boot to Windows 11 22h2. That is why you get a BSoD that says the boot device in inaccessible when you re-enable SB, and attempt to load Windows 11 22h2.

I will be opening a case with Dell Enterprise Support tomorrow regarding this. It could be that the new PK just needs to be loaded from one of the disk partitions. Of course, that doesn’t solve the issue of how to upgrade 12k+ endpoints without having to manually touch all of them, but it would at least be a start.

Hopefully, I’ll have some info from Dell that I can share soon, since they seem to be completely ignoring this Forum Post…..

Thank you @Grime121.    I contacted Dell a couple weeks ago and was told this problem would not be getting fixed.   Look for my previous comments.   I don't have 12k endpoints and if I did, I would be very upset.

I eagerly await your updates!   Please keep us informed.

Hello,
I noticed that Dell had released BIOS version 1.21.0 on 12/04/2023.

I upgraded to this version hoping that it may resolve the secure boot issue. The upgrade completed successfully, however, I can no longer see the option to upgrade to Windows 11 in Windows Update!

It seems like v1.2.1 is not yet supported for W11 - I can't rollback to the previous bios version and will have to wait until the upgrade option is presented in Windows Update.

You may upgrade via the upgrade assistant too via the download link below:

This assistant is for those who wish to:

• Upgrade a Windows 10 PC to Windows 11.

Before you begin, check to see if the following conditions apply to you:

• You have a Windows 10 license.
• Your PC must have Windows 10, version 2004 or higher installed to run Installation Assistant.
• Your PC must have 9 GB of free disk space to download Windows 11.

https://www.microsoft.com/software-download/windows11

I had the same results as @benoit.laplante .   I am running the canary build of windows 11.   Installed the 1.21.0 BIOS the BSOD still occurs when Secure Boot is enabled.

On the plus side, I did not have to modify the bios to re-enable undervolting.

NOPE it does not fix the issue. I was able to install W11 22H2 with Secure Boot disabled. After installing BIOS 1.21.0, the BSOD still occurs when enabling Secure Boot 

Unfortunately, the warranty expired on my laptop 2.5 months ago. So, they won’t provide me with support. Not sure why we got 3 year warranty on it… we usually get 5 year.

I did find out something that could possibly be the issue, though…. We originally purchased this laptop with Ubuntu loaded on it because it HAD to come with an OS pre-loaded, and we didn’t want to pay for a Windows license that we already owned. That’s ANOTHER reason Dell Support won’t work with me on this….

However, that got me to thinking… If it came loaded with Ubuntu, it probably did not have the Windows PKs loaded by the OEM for Secure Boot. That could in fact be the issue, although, I don’t know why it worked prior to the upgrade. Maybe without that, Windows will not update the PKs for Secure Boot automatically when the update is installed? I’m not sure.

So, if your Dell computer did not come pre-loaded with Windows, that could be your issue. There is a way to manually load the PKs through the BIOS, but I’m not quite sure how to do that. At least, not yet. You have to browse to a file, and import it. I’m just not sure what file it requires, or where to find that file. Maybe it’s somewhere in the EFI partition? I’m not sure.

I also found out that we have tested 22h2 with quite a number of other Dell systems that have Secure Boot enabled, and they did not have a problem. That makes me think even more that the PKs used by Secure Boot are not up-to-date for whatever reason, and possibly because the laptop came preloaded with Ubuntu instead of Windows.

I don’t know if any of this info will help any of you, but that appears to be my situation. My laptop is a Precision 7540, BTW. 64GB RAM, 1TB NVMe disk… It was pretty much the top of the line when we bought them for our three Sr. Systems Engineers back in 2020.

I’m waiting on a response from our Dell Enterprise Account Manager now to see if there’s anything I can do, other than figuring out how to update the PKs myself, or replace the laptop…..

Here a short summary of the status of this issues for those who didn't follow the complete thread:

The issue is still not solved, also not with BIOS 1.21.
You have to chances to upgrade to 22H2. You can disable Secure Boot or you disable Support for Direct I/O in the Virtualisation Support section in the BIOS. If you don't need all virtualisation features on your machine you can choose the second option. Hyper-V is still functional with this setting disabled. This is the configuration I run on my machine with Secure Boot enabled.
So you can choose according your needs as long as you don't need both because of company policie for instance. If you need both you're fried. This leads to the Blue Screen or stucks in the boot process.
I don't think it has anything to do with the boot platform key. I bought with windows and it should be supported and I'm still in warranty. Even this doesn't help a lot...

@Artur Friedenreich I hope you have (or will) raise a support issue for this. Most of us experiencing this are out of our support window and that seems to have let Dell off the hook with regard to fixing this. If everyone who has support opens a ticket hopefully they'll provide a proper fix for all of us.

I'm struggling to even talk to Dell and I keep getting sent to the form to buy more support I just want to know if they're actively trying to fix this issue.

Case is open. Until now I only received apologies but no solution.