It doesn't exactly make you wonder why this isn't documented:

bash-3.2# csrutil enable --without kext
csrutil: requesting an unsupported configuration. This is likely to break in the
 future and leave your machine in an unknown state.

Stumbled across this when I tried to understand why a certain kext wouldn't load, producing a very curious error message

Booting Windows 10 from external media on a new MacBook Pro isn't as easy as it used to be, but IT CAN BE DONE! :-)

The Mac will only boot via EFI, hence the Windows 10 disk has to be formatted as GPT . When looking for a tool to convert a Windows installation from MBR to GPT I stumbled across several dubious looking 3rd party tools at first. After a while I realized that Windows 10 already ships with a tool that does the job - MBR2GPT.exe. This took a while but did work.

However, the Mac won't boot Windows directly - it has to be blessed (!) first.

In order to bless the Windows installation you have to boot the Mac into Recovery (!), then open a terminal and cast the secret spells:

csrutil disable
bless -mount /Volumes/BOOTCAMP -setBoot
csrutil enable

Not too obvious I guess.

When my old MacBook Pro Late 2013 broke down due to a broken battery, I received a newer, used MacBook Pro 2018 from Carsten. I used my last TimeMachine Backup to automatically setup the new machine which took quite a while but otherwise did work as expected.

However, the APFS Preboot won't be setup automatically which you don't necessarily realize instantly. But as soon as you want to change the "Startup Security" for booting i.e. from external media, you're confronted with a slightly confusing dialogue:

Luckily, this can be solved: "No administrator was found" in Startup Security Utility

znek@optimist:(~)$ sysadminctl -secureTokenStatus znek
2020-06-26 14:49:32.994 sysadminctl[923:13224] Secure token is DISABLED for user znek
znek@optimist:(~)$ sysadminctl interactive -secureTokenOn znek -password -
Enter password for znek :
2020-06-26 15:06:10.405 sysadminctl[959:16991] - Done!
znek@optimist:(~)$ sysadminctl -secureTokenStatus znek
2020-06-26 15:06:19.678 sysadminctl[985:17337] Secure token is ENABLED for user znek
znek@optimist:(~)$ diskutil apfs updatePreboot /
Started APFS operation
UpdatePreboot: Commencing operation to update the Preboot Volume for Target Volume disk1s1 Optimist
UpdatePreboot: The Target Volume's OpenDirectory (non-special kind) user count is 1 and the Recovery (any of 3 kinds) user count is 0
UpdatePreboot: There are OpenDirectory user(s) but no Recovery user(s)
UpdatePreboot: The above is an abort condition for some purposes but not UpdatePreboot; continuing
UpdatePreboot: No custom Open Directory path given
UpdatePreboot: Using GivenVolumeMountPointOrNilIfNotMounted for the MacOSSearchPath
UpdatePreboot: Using MacOSSearchPath's child dslocal path for the OpenDirectorySearchPath
UpdatePreboot: MacOS Search Path = (nil=NotMounted) = /
UpdatePreboot: Open Directory Database Search Path = (nil=MacOSSearchPathNotMounted) = /var/db/dslocal/nodes/Default
UpdatePreboot: Preserve EncryptedRootPList When No-OD = 0
UpdatePreboot: Successfully opened Open Directory database; setting AuthODNodeOrNil accordingly
UpdatePreboot: Mounting and ensuring as mounted the related Preboot Volume
UpdatePreboot: Preboot Volume = disk1s2 Preboot
UpdatePreboot: Taking mount hold on Preboot Volume
UpdatePreboot: Preboot Volume Target Directory = /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6
UpdatePreboot: Considering APFS Crypto User 0E49C3F6-AF8E-41A5-B01A-0A9FBC91F27F
UpdatePreboot: Defaulting and requiring that this be an Open Directory User
UpdatePreboot: Treating this APFS Crypto User to be, and requiring to match, an Open Directory User
UpdatePreboot: Correlated APFS Volume Crypto User with Open Directory User 0E49C3F6-AF8E-41A5-B01A-0A9FBC91F27F aka "znek"
UpdatePreboot: Reading JPEG user picture of length 8166 from Open Directory database
UpdatePreboot: All required data for this Open Directory user has been obtained
UpdatePreboot: Parameters for EFILoginUserGraphics count=1 "unlockOptions"="2"
UpdatePreboot: Before rendering EFILoginUserGraphics user (graphics/audio) resources Name=znek PictureSize=(NoneIsOK)=8166 HintOptional=(null)
UpdatePreboot: After rendering EFILoginUserGraphics DataObj=(NullIsError)=0x7fce43e0dd00 DataLen=1260626
UpdatePreboot: Before rendering EFILoginUserNamesData resources UserArrayCount=3
UpdatePreboot: After rendering EFILoginUserNamesData DataObj=(NullMeansWeWillSkip)=0x7fce43e0c800 ItemCount=3
UpdatePreboot: Successfully added a macOS OD User to the building dictionary
UpdatePreboot: Processed APFS Volume Crypto User 0E49C3F6-AF8E-41A5-B01A-0A9FBC91F27F
UpdatePreboot: Error for this processed user was 0
UpdatePreboot: Error among all processed users was 0
UpdatePreboot: The Encrypted Root PList File content is ready
UpdatePreboot: Not encrypting the Encrypted Root PList File content
UpdatePreboot: Encrypted Root PList File to be created path will or would be /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey
UpdatePreboot: Proceeding to write Encrypted Root PList, creating a path as necessary
UpdatePreboot: Successfully wrote Encrypted Root PList File
UpdatePreboot: DiskManagement Info PList File path will be /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/var/db/CryptoUserInfo.plist
UpdatePreboot: Successfully wrote DiskManagement Info PList File
UpdatePreboot: Checking for existence of Static EFI Resources directory /usr/standalone/i386/EfiLoginUI
UpdatePreboot: Before copying contents of directory of Static EFI Resources at /usr/standalone/i386/EfiLoginUI into directory /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/usr/standalone/i386
UpdatePreboot: After copying error=(ZeroMeansSuccess)=0
UpdatePreboot: Looking for locale list on macOS on Target Volume
UpdatePreboot: Locale list item count is 5
UpdatePreboot: Before rendering EFILoginInterfaceGraphics global localized resources
UpdatePreboot: After rendering EFILoginInterfaceGraphics FileNamesAndDataObj=(NullIsError)=0x7fce45108990 ItemCount=11
UpdatePreboot: Writing localized EFI graphics resource file /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/loginui.efires
UpdatePreboot: Successfully wrote EFI resource file
UpdatePreboot: Writing localized EFI graphics resource file /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/flag_picker.efires
UpdatePreboot: Successfully wrote EFI resource file
UpdatePreboot: Writing localized EFI graphics resource file /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/preferences.efires
UpdatePreboot: Successfully wrote EFI resource file
UpdatePreboot: Writing localized EFI graphics resource file /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/battery.efires
UpdatePreboot: Successfully wrote EFI resource file
UpdatePreboot: Writing localized EFI graphics resource file /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/appleLogo.efires
UpdatePreboot: Successfully wrote EFI resource file
UpdatePreboot: Writing localized EFI graphics resource file /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/sound.efires
UpdatePreboot: Successfully wrote EFI resource file
UpdatePreboot: Writing localized EFI graphics resource file /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/unknown_userUI.efires
UpdatePreboot: Successfully wrote EFI resource file
UpdatePreboot: Writing localized EFI graphics resource file /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/disk_passwordUI.efires
UpdatePreboot: Successfully wrote EFI resource file
UpdatePreboot: Writing localized EFI graphics resource file /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/guest_userUI.efires
UpdatePreboot: Successfully wrote EFI resource file
UpdatePreboot: Writing localized EFI graphics resource file /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/Lucida13.efires
UpdatePreboot: Successfully wrote EFI resource file
UpdatePreboot: Writing localized EFI graphics resource file /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/System/Library/Caches/com.apple.corestorage/EFILoginLocalizations/Lucida13White.efires
UpdatePreboot: Successfully wrote EFI resource file
UpdatePreboot: Generating AdminUserList for Recovery purposes
UpdatePreboot: Considering admin user FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
UpdatePreboot: Considering admin user 0E49C3F6-AF8E-41A5-B01A-0A9FBC91F27F
UpdatePreboot: Error among all processed admin users was 0
UpdatePreboot: Writing Admin User Info File to path /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/var/db/AdminUserRecoveryInfo.plist
UpdatePreboot: Successfully wrote Admin User Info File
UpdatePreboot: Checking for existence of Secure Access Token file /var/db/dslocal/nodes/Default/secureaccesstoken.plist
UpdatePreboot: Before copying Secure Access Token file /var/db/dslocal/nodes/Default/secureaccesstoken.plist into directory /Volumes/Preboot/1ED6B083-A941-46B2-B3B1-4635AC4999C6/var/db
UpdatePreboot: After copying error=(ZeroMeansSuccess)=0
UpdatePreboot: Releasing mount hold on Preboot Volume
UpdatePreboot: Unmounting Preboot Volume
UpdatePreboot: Did unmount Preboot Volume err=(ignored)=0
UpdatePreboot: Doing memory releases
UpdatePreboot: Exiting Update Preboot operation with overall error=(ZeroMeansSuccess)=0
Finished APFS operation
znek@optimist:(~)$ 

This one is kinda obvious, but nevertheless some trap:

If you clone a drive on Windows (i.e. via Samsung Data Migration Software ) and you don't remove the old drive before rebooting, without switching SATA cables Windows will boot from the old drive…

The reason? Despite what boot order you put in the BIOS/UEFI, the hardware path to the drive is unaltered in the boot loader (also on the cloned drive), which still leads to the old drive and thus will boot that one.

Thoughts on The Mandalorian, Season 1

I liked Rogue One in particular for its characters and portrayal of the Empire. Krennic was a believable character, careerist, ruthless, and highly professional. He fit perfectly in the Imperial ranks where he didn't stand out - in fact, he was just like anyone else. In my opinion, that's exactly how the Empire should be depicted in all Star Wars movies and spinoffs - cold, technocratic, unforgiving.

The first season of The Mandalorian leaves me with mixed feelings. It got off to a good start and continued to entertain me, despite having some sidetracks (The Gunslinger, The Prisoner) that felt more like fillers than anything else. However, the end of Season 1 (The Reckoning and Redemption) couldn't have been worse.

Enter Moff Gideon, a totally overpowered kind of super villain who you'd expect to come from a different (comic) universe than Star Wars… who acts erratically, purposely to show off his ruthlessness but factually demonstrating utter cluelessness (The kid is extemely valuable to him but can be obliterated with no second thought if fighting starts - ok?!). Contrary to him, Werner Herzog's Character was excellent and conclusive. The standoff is, sadly, in the tradition of Star Wars movies, where Stormtroopers (and the supposedly elite Deathtroopers!) are nothing more than practice targets. To top it all off, the rather refreshing character IG-11 has to leave the show as a means to attribute more feelings to the character of The Mandalorian, who strikingly needs to become a better person for the sake of character development. This narrative comes at any cost it seems… weak.

All in all, Season 1 of The Mandalorian started promising, had a few dents along the way and ended up half assed in compliance with Disney's "HOWTO Star Wars" guidelines. I'm delighted that it didn't turn out nearly as bad as the movies, but that's already saying much about what you expect Disney to achieve with this supposed money printing franchise at their mercy these days. For a new format that had a good start, there could have easily been more in it.

May the force be stronger with Season 2.