Linux

Forget the technical details. I work in a corporate security department and if yours finds out what you're doing there's high odds they would absolutely hate it. I mean it likely isn't an issue for org security (assuming they're using bitlocker appropriately etc.) But not everyone over security is so rational and there are edge case attacks which may even trouble more sensible individuals. Either get permission, expect to do this in secret, or better yet just don't.

Stop using work devices for personal business

Danger Will Robinson! Do NOT fuck with company hardware!

You are going to potentially set off a shit ton of alarm bells, and risk your job, by even attempting this.

First of all, almost all such devices come with a BIOS lock. You'd need to get the password before you could even begin this (again, do not do it!)

Secondly, they'll be able to tell something is up from the foreign UEFI entries.

Thirdly, if that doesn't expose you, Intel IME will. Doesn't matter what operating system you're running.

And you're going to create some royal fucking headaches for a lot of people in your company.

Let's start with security. Remember when I said you'll set off alarm bells? Well, I mean some mother fucking alarm bells. Security will have a god damn aneurysm over this, and they will believe you may be doing this to bypass security, possibly for nefarious reasons. A foreign hard drive with its own OS looks shady as shit.

Then there's the regular tech people. You're going to cause various headaches for them too. Not least because under many service agreements, the company itself may not be authorised to open up the workstations themselves. Many workplaces rent their workstations nowadays, and it is not uncommon to see this language in their SLAs.

Then there's the fact that the OS image on the original drive potentially cannot be trusted any more, so they have to wipe the fucker clean and do a fresh image install.

TL;DR, You are giving your company several solid reasons to fire you for cause by doing this.

You shouldn’t do this. Why would you do this

I have a recommendation, buy a personal laptop that isn’t tied to your company.

IDK about other places, but the document we make our users sign make it clear that modifying the internal hardware is a fireable offense.

The laptop isn’t yours, use a personal device for personal stuff, and work device for work only.

The answer here is very simple. Your employer will find out what you're doing.

So obviously you should be asking them, if anyone. Not us Lemmings.

apparently you are unaware of how much monitoring goes on in corporate IT. you're lucky they haven't already found the mac address yet booted with a different os, or maybe they're already onto you.
I would stop doing what you're doing immediately and hope it's not too late

I had a work laptop and did the "external USB" thing. One day, at work, I'm messing with my Linux on a public wifi, having unplugged from the corporate LAN.

A co-worker walks by, sees the Network cord unplugged, plugs it in. I am oblivious in the washroom.

Corporate security got to my laptop before I did.

I didn't get fired.

I don't work there anymore, though.

The big takeaway is that you do not own this computer. It is not yours, it is being lent to them for a very specific purpose. And what you want to do, hell what you're already doing, is way outside of that purpose.

How would you feel if you lent a friend your conputer to check their email and found out they had bypassed a lot of your security mechanisms (passwords) to set up their own admin account?

What about when you begrudgingly get a MFA app on your personal phone because your employer's too cheap to shell out for a yubikey or hardware token? How would you feel if their app also rooted your phone just for shits and giggles?

What you're proposing is not only dangerous to your career, it's also potentially illegal. And also just downright unethical.

Any thoughts or comments are welcome

If this is a corporate decide your cyber security team have really dropped the ball by enabling you to change the boot order.

DO NOT install a second M.2

Use the external drive

If the internal drive is in there, you could be asked at work to turn it in. It is not a good look to ask to remove an internal drive.

I understand the rationale behind you doing this, I've done it myself.

Your company sends you abroad for a week or two. You want to access your Netflix account but don't want to do it on the company computer. On the other hand you don't want to carry two laptops with you.

As others have said, tampering company hardware can get you in trouble with the IT department, and it's enough to get you fired in some cases.

If you value your job get permission to do it or get yourself a tablet.

If the second internal ssd is there when windows boots, it will leave a trace. IMHO booting off the external drive is the best option if you want it to leave no trace on the windows partitions.

Also, it's possible any booted device will leave a trace in the bios or uefi boot logs, which your corporation may have configured to ship to their audit logs or something similar.

IT will ask you the next day what you did to thier computer.

This is just a bad idea in general.

You can buy a used ThinkPad T480 for like $75 on ebay. A lot cheaper than having to explain your shenanigans to Maude from HR.

I would get a second device

I have to second the get your own laptop.

The company I work for has software that does hardware / software inventory regularly. So additional hardware added can and will show up.

Also, when hired we are told in in uncertain terms that tampering with the laptop can and will be grounds for termination.
Booting off of an external drive is ill advised as many work laptops have restrictions to the USB/thunderbolt ports as well as modifying bios settings.

Lastly, using corporate hardware (be it a cell phone, or a laptop) should never be used for personal use. It's a good way to lose your job. I know more than one person in my career that lost their job either from texts sent from a work cell phone, or using their work computer for personal things. It's just not worth it.

You're better off doing it the current way. Or better still just get one for yourself if you use it that much.

I’ve seen many people fired for doing less on a work laptop. Do not modify the physical machine. I’m surprised they don’t have USB locked off already. I’d get a personal machine.

Looking at the replies I'm happy I line in Germany where none of this is legal without signing a document that explains in detail how exactly you are surveiled.

Damn my laptop has secure boot and extra on top , I believe the usb ports are physically disabled.

I assume everything is watched on what I'm doing. Can't remember the wording but i can't do shit without getting in a heap of trouble.

Browser add-ons are like a 2 week process to get approved

In most cases, work laptops have software(s) installed to automatically keep track of these activities, and flag it to security team of your organization. At that point, it will either lead to a formal warning to you, or termination/forced resignation.

From organization point of view, this is to avoid any accidental (or intentional) leak of confidential data, and/or accidentally (or intentionally) infecting your (work) system with malware/ransomware.

The latter had happened in one of my previous organizations, and the person responsible was terminated from job immediately.

I work in IT and that's what I do lol

As many companies now use Bitlocker encryption, you’ll probably Bitlock your work partition by trying to install the second drive internally. IF YOU MUST boot to another drive, keep it external. And DO NOT unlock or mount your work partition in your personal OS. Really, though, you shouldn’t do this at all.