Please let me know if you figure it out. I opted the detached header approach a few years ago because it had most of the same benefits without the headache and poor support. I’m wondering if it might be possible to replicate what Grub is doing as it us relatively trivial but that doesn’t mean easy. Basically you’d have a Secure Boot signed bootloader that is able to boot a protected file system (secondary /boot) where your kernel & initramfs, or combined image exists. This secondary boot partition can be a lot more flexible though so it could even read a sparse-baded file that has a file system stored in it, and then from there you’d unlock the second layer of encryption. My guess is it can be done using something besides Grub and you’d have full access to all the algorithms available under cryptsetup.

I’ve still never forgiven Telltale for removing Minecraft Story Mode from my library after I paid for it.

Period tracking apps should store no data at all in the cloud.

Yeah, you buy a gaming PC with Windows and you insert a USB stick and install Linux. Otherwise, you’ll be paying a high premium for a company that does basically the same thing. Things to look out for are try to find a PC with Intel networking and bluetooth adapters. Realtek is relatively well supported, but has been known to have issues.

Apps like Apple News don’t exist to help you curate news that you want to see. They exist to curate news that they want you to see.

Well, first they are lying to you. You don’t have to hand out certificates manually and that isn’t how Intune does it either. They are provisioned using SCEP generally, which has its own security drawbacks. You can get these certificates from a SCEP server using a tool like Certmonger.

Most companies that say they don’t officially support Linux already have you sign an acceptable-use agreement to only use company-provided hardware and approved software. And while they may act like they’ll make a special exception for you, you better make sure you got it in writing and in a way that would comply with your other employment agreements. One thing most IT employees don’t have the privilege of is negotiating the legal terms of their employment. There are already multiple US cases of employees being criminalized for breaking their employer’s AUP.

I wish you the best of luck, but feel like you’re prob in for a harsh reality.

You can use Wi-Fi certificates on Linux without needing Intune. Is the real issue here that your workplace doesn’t want to give you the info you need to use Linux?

What would having Intune offer you personally? Are you a smart Linux user or barely know enough to be dangerous?

Go to your IT department or management and tell them you want to use Linux for work if that is what you want, and if they say no then make up your mind if you’re willing to become a braindead zombie for the company, or if you’d rather be doing something actually useful and meaningful with your time.

Now Drew Devault can finally work on PizzaHut.

Sysv didn’t have to have a lot of documentation. It was simple to understand what it did, and the underlying system was mostly shell scripting. It didn’t try to be and do everything.

I don’t hate systemd. I prefer it now for the most part. I really do think Lennart Poettering is incredibly skilled and intelligent. I am just frustrated that so much gets pushed without adequate resources and support to weigh what is production-ready, and what is bleeding edge. I’ve already had systemd bite me in the ass at least once where they made a significant unannounced change to systemd-cryptsetup. I had to go find answers by reading through pull request and GitHub issue comments, and it wasn’t easy to find either. The community acted like it wasn’t a big deal that it caused systems to no longer boot. Move fast & break things isn’t the message that will win over larger companies.

Lennart Poettering is no doubt smart, but learning all the ins and outs of systemd with terrible documentation and half-baked solutions, and just “trusting” it to do everything from UEFI booting, immutable partitions, system imaging, networking, home directory and resource management, init and daemon processes, sockets, etc. using “INI-like” files… hmm, I’d almost prefer another global outage.

Let’s rewrite everything in Rust. That’ll surely solve the world’s problems.

I wonder how you’re supposed to get PXE boot to work securely over the internet.

PXE boot is more of last resort IMO, but can be uses as a chainloader to a more secure option. The biggest challenge I could see security-wise is having PXE boot being ran on unsecured networks. Even then though, normally a computer will have been provisioned on a secure network and will have encryption and secure boot-based encryption, and some additional signature-based image verification.

Microsoft has been too busy building a new Outlook PWA with ads in your email, and AI laptops that capture screenshots of your desktop in unencrypted folders.

Somebody give those workers that had their shit together a raise, for real.

Where you spend more time talking about what you’re going to do, than ever actually doing it.

Where when you ask for a mirror of production to test in, you’re told that Bob was working on that (Bob left 5 years ago).

UEFI isn’t going away. Sorry to break the news to you.

Windows ADK does this too, or any PXE server really… so yes, you can. The CS issue though didn’t require re-image. Merely removing a file. DR planning would usually have a recovery image pre-installed to automate booting into for lower-level fixes.

Imaging environment down? If a sysadmin can’t figure out how to boot a machine into recovery to remove the bad update file then they have bigger problems. The fix in this instance wasn’t even re-imaging machines. It was merely removing a file. Ideal DR scenario would have a recovery image already on the system that can be booted into remotely, so there is minimal strain on the network. Furthermore, we don’t live in dial-up age anymore.

1. Configure PXE to reboot into recovery image, push out command to remove bad file. Reboot. Done. Workstation laptops usually have remote management already.

or

2. Have recovery image already installed. Have user reboot & push key to boot into recovery. Push out fix. Done.