Zero trust is fun, it's fine if the computers were all from the last decade and not circa. 2011-2013 HP mini's with HDD rather than SSDs or M.2 in the newest revisions of allowed devices on our networks.
Don't zero trust architectures often require secure boot as well as a functioning TPM-like secure enclave to do attestation on the client device before allowing the user to logon to some resource?
I would say thats a bonus. Zero trust should be based on strong identity (e.g., x509) and authentication/authorisation-before-connect, ideally that identity would come from HWRoT/TPM. Unfortunately, many vendors say they are zero trust while only implementing some aspects/principles. I wrote a blog on this topic earlier in the year - https://netfoundry.io/demystifying-the-magic-of-zero-trust-w...