[devaiops9001]

On my team we have Qubes OS and some Linux variant. We use cryptography-first GitOps to configure the machines. Everyone is issued a Trezor wallet as part of their org member id.

Anyone, regardless of role or organizational rank, can modify their system with a pull request. Once an appropriate combination of cryptographic signatures (depending on what is changed) is reached the new infra-as-code is pushed/pulled and so long as the cryptographic signatures match a GitOps process on the Qubes machine the changes happen.

We internally "support" Windows apps such as the desktop app MS Excel (not the web/O365 thing) in Qubes or KVM and everyone seems to be happy with what we have.