What's so wrong with installing linux on a real laptop?
Modern laptops come with remote administration tools built into the chips on the board. (The vendors tout this as a feature, simplifying administration of a large company's workstations. It's easier and cheaper to build it into everything than to be selective, so it's in the machines sold to individuals, too.)
One example: Intel Active Management Technology (AMT) and its standard Intelligent Platform Management Interface (IPMI), the latter standardized in 1998 and supported by "over 200 hardware vendors". This is built into the northbridge (or, in early models, the Ethernet) chip).
Just TRY to get a "modern laptop" (or desktop), using an Intel chipset, without this feature. (I suspect the old Thinkpad is how far back they had to go to avoid it.)
You can't disable it: Dumping the credentials or reverting to factory settings just makes it think it hasn't been configured yet and accept the first connection (ethernet or WiFi, whether powered up or down) claiming to be the new owner's sysadmins.
If the NSA doesn't know how to use this to spy on, or take over, a target computer, they aren't doing their jobs.
Some of the things this can do (from the Wikipedia articles - see them for the footnotes):
Hardware-based AMT features include:
Encrypted, remote communication channel for network traffic between the IT console and Intel AMT.
Ability for a wired PC (physically connected to the network) outside the company's firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console. Examples of an open LAN include a wired laptop at home or at an SMB site that does not have a proxy server.
Remote power up / power down / power cycle through encrypted WOL.
Remote boot, via integrated device electronics redirect (IDE-R).
Console redirection, via serial over LAN (SOL).
Keyboard, video, mouse (KVM) over network.
Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.
Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.
Agent presence checking, via hardware-based, policy-based programmable timers. A "miss" generates an event; you can specify that the event generate an alert.
OOB alerting.
Persistent event log, stored in protected memory (not on the hard drive).
Access (preboot) the PC's universal unique identifier (UUID).
Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through power-on self-test (POST).
Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information.
Remote configuration options, including certificate-based zero-touch remote configuration, USB key configuration (light-touch), and manual configuration.
Protected Audio/Video Pathway for playback protection of DRM-protected media.
Additional AMT features in laptop PCs
Laptops with AMT also include wireless technologies:
Support for IEEE 802.11 a/g/n wireless protocols
Cisco-compatible extensions for Voice over WLAN
This just happens to be one I'm familiar with. I don't know whether (or which) other chip makers (such as AMD) have similar "features" built in as well (though I'd be surprised if they didn't, since they want to sell into big companies, too).