Dell XPS 15 7590; Windows 11 22H2; problems when secure boot is enabled

I want to add to @Artur Friedenreich summary.

I contacted Dell and they told me there would not be a fix.

This problem is happening on other brands that have the i7-9750H chip.  The one example I found was a Lenovo P73.

Is it strange that the i7-9750H is discontinued?

https://ark.intel.com/content/www/us/en/ark/products/codename/97787/products-formerly-coffee-lake.html

Still researching, if anyone gets something solid please post.

While Virtualization Technology for Directed I/O is not required for virtual devices, not having it enabled opens up a host of security vulnerabilities. Enabling that feature provides improved security and reliability when it comes to isolating virtual devices. This not only includes VMs that are running on the system, but also other technology that takes advantage of virtualization such as Virtualization-Based Security (VBS). Basically, VT-d isolates the virtualized containers so that they cannot be accessed from the base OS. Without this feature enabled, VBS will not work. On top of that, Attackers can gain access to information contained within any virtualized environments that you are running (credentials, files, etc.).

It is a very important feature to have enabled whether you have VMs running on your system, or if you are just taking advantage of security benefits provided by virtualization technology. However, if you are not running Windows Enterprise Edition, you will not have these virtualization capabilities anyways. So, if you are running Home or Professional Edition, I'm pretty sure you can disable it without any ill effects, as long as you are not running any VMs on the system (Hyper-V or VMware).

I agree totally and this feature is of course very important on our hypervisor servers in the datacenter.
The VMs I run on my laptop nobody has access except me.
I hope nobody here runs the 7590 in the datacenter... 

We have VBS enabled on all of our endpoints to protect credentials. Since I have Enterprise Admin creds, it’s especially important to have VBS working on my laptop. Most people should be OK disabling it though, especially if they are running Home/Pro Edition.

Laptop/workstation endpoints get popped by attackers much more frequently than servers, and without VBS on the client endpoints an attacker could obtain a level 2 or level 1 admin’s creds, and elevate from there.

VBS runs just fine without VT-d. Here's the output of msinfo32 on my XPS 15 7590 with VT-d disabled and Secure Boot enabled and Windows 11 22H2 installed:

What won't work without VT-d is Kernel DMA Protection. AFAICT there's an inbox driver in Windows 11 22H2 that says it's compliant, but when run on a device with a 9th Generation Intel CPU + associated chipsets decides that it isn't, which prevents the NVMe driver from loading and results in the inaccessible boot device BSoD (at least, this is my best guess of what I think is happening, in the absence of live kernel debugging).

What we need is for someone (Dell engineers preferably, but Lenovo or HP or Microsoft engineers would also do) to get one of these devices with 9th Gen Intel CPU, load up 22H2 with Secure Boot + VT-d enabled and then perform a live debug to see which driver (or drivers) is failing to load when Kernel DMA Protection is enabled. Shouldn't be a difficult process for someone who knows what they're doing.

I recently installed Windows 11 23H2, and yesterday installed BIOS version 1.24.0. 

I haven't been checking this for a while, but I tried re-enabling secure boot, and it worked fine. So whatever the issues were with Dell XPS 7590 and Windows 11 22H2 impacting secure boot, they seem to be resolved either by 23H2 alone (I didn't test) or 23H2 plus the 1.24 BIOS update.