Enable Kernel DMA Protection on Windows guest

I’m currently attempting to passthrough a ThunderboltEX 4 card into a Windows 11 guest on virtmanager. I have VT-x and HyperV enabled but Kernel DMA Protection is off according to MSINFO32.exe. The only feature I don’t have running is VT-d, and is provided by configuring vIOMMU in virtmanager. This is my progress so far:

<!-- Each pci-root-port has its own iommu driver. 
No driver is present in the other controller types. -->
    <controller type="pci" index="2" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="2" port="0x11"/>
      <driver iommu="on" ats="on"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0"/>
    </controller>
<!-- This is how the vIOMMU model is decalred -->
    <iommu model="intel">
      <driver intremap="on" caching_mode="on" iotlb="on"/>
    </iommu>

Even with these additions DMA protection is off, and if I attempt to passthrough the Thunderbolt 4 NHI
i.e. USB controller: Intel Corporation Thunderbolt 4 NHI [Maple Ridge 4C 2020]
the VM hangs during boot and doesn’t proceed to the login page. The ThunderboltEX 4 card has successfully passthrough on macOS and Ubuntu guests. The only thing that makes Windows different, from my research, is their virtualization-based security from builds 1803 and above. Any insights into enabling Kernel DMA protection or setting up vIOMMU properly would be much appreciated.