I currently have a Dell laptop that runs Windows for work. I use an external SSD via the Thunderbolt port to boot Linux allowing me to use the laptop as a personal device on a completely separate drive. All I have to do is F12 at boot, then select boot from USB drive.
However, this laptop is only using 1 of the 2 internal M.2 ports. Can I install Linux on a 2nd M.2 drive? I would want the laptop to normally boot Windows without a trace of the second option unless the drive is specified from the BIOS boot options.
Will this cause any issues with Windows? Will I be messing anything up? For the external drive setup, I installed Linux on a different computer, then transferred the SSD to the external drive. Can I do the same for the M.2 SSD – install Linux on my PC, then transfer that drive to the laptop?
Any thoughts or comments are welcome.
Edit: Thank you everyone! This was a great discussion with a lot of great and thoughtful responses. I really appreciate the replies and all the valuable information and opinions given here.
apparently you are unaware of how much monitoring goes on in corporate IT. you’re lucky they haven’t already found the mac address yet booted with a different os, or maybe they’re already onto you.
I would stop doing what you’re doing immediately and hope it’s not too lateDanger Will Robinson! Do NOT fuck with company hardware!
You are going to potentially set off a shit ton of alarm bells, and risk your job, by even attempting this.
First of all, almost all such devices come with a BIOS lock. You’d need to get the password before you could even begin this (again, do not do it!)
Secondly, they’ll be able to tell something is up from the foreign UEFI entries.
Thirdly, if that doesn’t expose you, Intel IME will. Doesn’t matter what operating system you’re running.
And you’re going to create some royal fucking headaches for a lot of people in your company.
Let’s start with security. Remember when I said you’ll set off alarm bells? Well, I mean some mother fucking alarm bells. Security will have a god damn aneurysm over this, and they will believe you may be doing this to bypass security, possibly for nefarious reasons. A foreign hard drive with its own OS looks shady as shit.
Then there’s the regular tech people. You’re going to cause various headaches for them too. Not least because under many service agreements, the company itself may not be authorised to open up the workstations themselves. Many workplaces rent their workstations nowadays, and it is not uncommon to see this language in their SLAs.
Then there’s the fact that the OS image on the original drive potentially cannot be trusted any more, so they have to wipe the fucker clean and do a fresh image install.
TL;DR, You are giving your company several solid reasons to fire you for cause by doing this.
He already boots linux via USB drive on it, I guess the difference to booting from PCI/M.2 drive would not be that different, in terms of security, or did I miss something?
The security implication from a USB boot are probably more severe but also more the fault of the people configuring your work machine. It is expected that people will plug things like pen drives in, to a degree. It is your job to block it with configurations.
The real problem is that once you start adding or removing internal hardware, that configuration no longer stays a trusted one because they’ve meddled with the components.
I had a work laptop and did the “external USB” thing. One day, at work, I’m messing with my Linux on a public wifi, having unplugged from the corporate LAN.
A co-worker walks by, sees the Network cord unplugged, plugs it in. I am oblivious in the washroom.
Corporate security got to my laptop before I did.
I didn’t get fired.
I don’t work there anymore, though.
Yeah, this is just a terrible idea. The risk is far greater than any potential reward you might be getting.
If the second internal ssd is there when windows boots, it will leave a trace. IMHO booting off the external drive is the best option if you want it to leave no trace on the windows partitions.
Also, it’s possible any booted device will leave a trace in the bios or uefi boot logs, which your corporation may have configured to ship to their audit logs or something similar.
Stop using work devices for personal business
Yes, and especially don’t fuck with the hardware or core boot/OS configuration. That’d the kind of stuff that can get you fired in most orgs I’ve been in.
Is Linux likely to mess up the stuff in Windows: probably not? It does require you to do likely-unauthorized things to the device to install, including potentially circumventing some controls required in the work device.
Whether it causes issue or not, circumventing those policies or controls is not going to land well if you get caught at it.
Nah, it’s just like shitting on work hours
Your point is valid but the IT department isn’t tracking your shits
Or maybe they are if you work for amazon
Sure, people should not use their work computer for personal use.
However, I would say the majority of people absolutely do use it for occasional personal use. Checking your personal email at work? Googling driving directions to the dentist? Using the pdf editor to fill out a form? Searching for a flight during your lunch break? I would say everyone I see at work does this, and I would bet that when they take their laptop home they would not hesitate to boot it up for personal use. And the people working remotely I would wager use it even more.
I’m not saying it’s right, but I do think using a completely separate SSD and OS is way more responsible from a security perspective.
There is a difference between using software on a work computer for private purposes and installing another OS on a work computer, don’t you think?
DO NOT install a second M.2
Use the external drive
If the internal drive is in there, you could be asked at work to turn it in. It is not a good look to ask to remove an internal drive.
You shouldn’t do this. Why would you do this
IT will ask you the next day what you did to thier computer.
Forget the technical details. I work in a corporate security department and if yours finds out what you’re doing there’s high odds they would absolutely hate it. I mean it likely isn’t an issue for org security (assuming they’re using bitlocker appropriately etc.) But not everyone over security is so rational and there are edge case attacks which may even trouble more sensible individuals. Either get permission, expect to do this in secret, or better yet just don’t.
I mean it likely isn’t an issue for org security (assuming they’re using bitlocker appropriately etc.)
Data loss/leak prevention would vehemently disagree. It’s a potential exfiltration point, especially if the org is blocking USB writes.
Networking might have a thing or two to say about it as well, as it is essentially an untrusted setup on company networks
Not to mention you really can’t hide that other drive from windows, and I’m sure a lot of the security tools would start screaming about new storage added when not expected. Data Loss Prevention is a big deal and random storage showing up doesn’t often mean the user has good things planned.
Exactly. This is a terrible idea. I’m fairly certain that anyone caught doing this would be immediately fired at some companies.
I have a recommendation, buy a personal laptop that isn’t tied to your company.
IDK about other places, but the document we make our users sign make it clear that modifying the internal hardware is a fireable offense.
The laptop isn’t yours, use a personal device for personal stuff, and work device for work only.
The answer here is very simple. Your employer will find out what you’re doing.
So obviously you should be asking them, if anyone. Not us Lemmings.
