Enrolling a MOK: making Linux work with Secure Boot

Making Secure Boot work with Windows is easy, right? You just turn it on and go about your day, for the most part. But when you're on the Linux side... there's a lot of advice to "just turn it off and save yourself the trouble." I suspect a lot of this is a legacy of the distrust Microsoft built up over the years. There was certainly no shortage of people who believed that Secure Boot was nothing more than a ploy for Microsoft to get its keys to be trusted, and then they would eventually force the OEMs to only permit Microsoft's keys and lock everybody out of their own machines.

That's not how it all turned out, though. Yes, it's more hoops to jump through if you want to use Secure Boot and compile your own kernel modules. But then, it's more work to be compiling your own kernel modules in the first place--if you could use just what comes shipped with the distro (and signed with their keys), you'd have much the same supported experience as a Windows user. But creating and enrolling your own MOK (Machine Owner Key) for Secure Boot really doesn't have to be a big deal!

EXTRA CREDIT:
While I've had to use a MOK on my Framework Laptop 16 (for third-party drivers), I never had to use it on a server until I deployed the Datto Linux Agent this last week. I'm pleased that the enrollment process works as smoothly under Hyper-V as it does on my laptop!
I wouldn't go out of my way to create and enroll a MOK on a regular basis. After all, if you don't need it, why bother with it? You can always create and enroll one later if the need arises. And there is something to be said for simplicity--if your distro has all the drivers it needs (as is typically the case under Hyper-V), you're all set and good to go already!