Managing supervisor passwords

Requests to manage the supervisor password are only supported on Lenovo ThinkPad, ThinkCentre, and ThinkStation devices manufactured in 2020 or later.

The following prerequisites must also be met:

• Absolute Persistence is activated on each device

  After the Secure Endpoint Agent is installed on a device, it may take up to two reboots, and an agent call, for the device's Firmware Persistence status The status of the Absolute Persistence module, which is embedded in the firmware of a Windows device by the device manufacturer. The module is responsible for monitoring the health of the Secure Endpoint Agent and restoring it if it's missing, damaged, or tampered with. Possible statuses are: Active, Deactivated, Not Supported, Pending, Pending Removal, and Unknown. field to be updated to Active.

• The devices' Secure Endpoint Agent is regularly connecting to the Absolute Monitoring Center.
• Devices have no other pending Absolute requests.
• Devices do not have an open theft report.

To submit a Manage Supervisor Password request, your user role needs to be granted Perform permissions for Manage Supervisor Password. The default System Administrator role is granted this permission.

To submit a request to create a supervisor password:

1. Log in to the Secure Endpoint Console as a user with Perform permissions for Manage Supervisor Password.

2. Do one of the following:

   To create a supervisor password for a single device

   On the device's Device Details page, click > Manage supervisor password.

   To create a supervisor password for multiple devices

   1. From the navigation bar, open a page or device report that supports the Manage Supervisor Password option. For example, click to open the Devices page.

   2. Click > Edit Columns and add the following columns to the report or page:

      • Supervisor Password > Status
      • Supervisor Password > Version
   3. In the work area, use the search field or filters to find the applicable devices.
   4. In the results grid, select each device you want to include in the request. To select all devices, select the Select All checkbox in the result grid header. To select consecutive devices, select the first device and then hold down the Shift key and select the last device. You can select up to 10,000 devices. To remove all selections, click Clear all.

   5. Use the columns you added in step b to verify that the selected devices show the same Status and Version.

      All devices included in a Manage Supervisor Password request must be in the same state. Note that all 2.x versions are considered the same version. If this requirement is not met, you'll receive the following error message in the next step:
      Bulk selection for this device action requires selected devices to be of the same status and version.
      

   6. Click > Manage supervisor password.

   Alternatively, you can upload a file of device identifiers and submit a request.

3. If the Device Eligibility for Manage Supervisor Password dialog box shows, and at least one device is eligible, click Proceed with Eligible Devices. Devices are ineligible for this action if they don't meet the system requirements and prerequisites.

4. In the Password and Confirm Password fields, enter the supervisor password.

   For devices using version The version number of the firmware's supervisor password software. This field applies to select Windows devices only. 1.0, only lowercase alphanumeric characters and spaces are allowed. For devices using version 2.x, uppercase and special characters (ASCII only) are also allowed. If a strong password is required, click the icon to see the password requirements.

5. If you want to avoid re-entering this supervisor password when you submit a new request to remove or change it, select the Allow to reset without current password checkbox.

   This setting cannot be changed after you create the supervisor password. If you want to change this setting, remove the password and create the password again.

6. Click Create for x devices.

The request is submitted, its status is set to Create Supervisor Password Requested, and a Supervisor password creation requested event is logged to Event History. The request is deployed to each device on its next successful connection to the Absolute Monitoring Center, which is typically within a few minutes for Absolute Resilience accounts, or within 15 minutes for Absolute Control accounts, assuming the devices are online.

The password is not set until the device user restarts the device. At that time, the device's Supervisor Password Status Indicates whether the firmware's supervisor password on a device has been set remotely in the Secure Endpoint Console. Possible values are: Not Set, Set Locally (changes require current password), Set Remotely, and Set Remotely (changes require current password). The field applies to select Windows devices only. is updated to Set Remotely or Set Remotely (changes require current password), depending on whether you selected the checkbox in step 4.

To track the progress of your request, see Event History.

To submit a request to change a supervisor password:

1. Log in to the Secure Endpoint Console as a user with Perform permissions for Manage Supervisor Password.

2. Do one of the following:

   To update the supervisor password for a single device

   1. Navigate to a page that shows linked Identifiers in the results grid, such as a report, device group, or folder.
   2. In the results grid, click the linked Device Name or Identifier of the device. The Device Details page opens.
   3. Click > Manage supervisor password.
   To update the supervisor password for multiple devices

   1. From the navigation bar, open a page or device report that supports the Manage Supervisor Password option. For example, click to open the Devices page.

   2. Click > Edit columns and add the following columns to the report or page:

      • Supervisor Password > Status
      • Supervisor Password > Version
   3. In the work area, use the search field or filters to find the applicable devices.
   4. In the results grid, select the checkbox next to each device. To select all devices, select the Select All checkbox in the result grid's header. You can select up to 2000 devices.

   5. Use the columns you added in step b to verify that the selected devices show the same Status and Version.

      All devices included in a Manage Supervisor Password request must be in the same state. Note that all 2.x versions are considered the same version. If this requirement is not met, you'll receive the following error message in the next step:
      Bulk selection for this device action requires selected devices to be of the same status and version.
      

   6. Depending on the page you're on, click either > Manage supervisor password or Device Actions > Manage Supervisor Password.

   Alternatively, you can upload a file of device identifiers and submit a request.

3. If the Device Eligibility for Manage Supervisor Password dialog box shows and at least one device is eligible, click Proceed with Eligible Devices. Devices are ineligible for this action if they don't meet the system requirements and prerequisites.
4. In the Current Supervisor Password field, enter the current supervisor password, if required. The current password is required if the device's Supervisor Password Status Indicates whether the firmware's supervisor password on a device has been set remotely in the Secure Endpoint Console. Possible values are: Not Set, Set Locally (changes require current password), Set Remotely, and Set Remotely (changes require current password). The field applies to select Windows devices only. is set to Set Locally (changes require current password) or Set Remotely (changes require current password).
5. In the New Password field, enter the new supervisor password. Only lower-case alphanumeric characters and spaces are permitted.
6. In the Confirm New Password field, re-enter the supervisor password.
7. Click Update on x devices.

The request is submitted, its status is set to Update Supervisor Password Requested, and a Supervisor password update requested event is logged to Event History. The request is deployed to each device on its next successful connection to the Absolute Monitoring Center, which is typically within a few minutes for Absolute Resilience accounts, or within 15 minutes for Absolute Control accounts, assuming the devices are online.

The new password is not set until the device user restarts the device.

To track the progress of your request, see Event History.

To submit a request to remove a supervisor password:

1. Log in to the Secure Endpoint Console as a user with Perform permissions for Manage Supervisor Password.

2. Do one of the following:

   To remove the supervisor password from a device

   1. Navigate to a page that shows linked Identifiers in the results grid, such as a report, device group, or folder.
   2. In the results grid, click the Identifier of the applicable device. The Device Details page opens.
   3. Click > Manage supervisor password.
   To remove the supervisor password from multiple devices

   1. From the navigation bar, open a device group or folder, or open a device report that supports the Manage Supervisor Password option. For example, click to open the Devices page.

   2. Click > Edit Columns and add the following columns to the report or page:

      • Supervisor Password > Status
      • Supervisor Password > Version
   3. In the work area, use the search field or filters to find the applicable devices.
   4. In the results grid, select the checkbox next to each device. To select all devices, select the Select All checkbox in the result grid's header. You can select up to 2000 devices.

   5. Use the columns you added in step b to verify that the selected devices show the same Status and Version.

      All devices included in a Manage Supervisor Password request must be in the same state. Note that all 2.x versions are considered the same version. If this requirement is not met, you'll receive the following error message in the next step:
      Bulk selection for this device action requires selected devices to be of the same status and version.
      

   6. Depending on the page you're on, click either > Manage supervisor password or Device Actions > Manage Supervisor Password.

   Alternatively, you can upload a file of device identifiers and submit a request.

3. If the Device Eligibility for Manage Supervisor Password dialog box shows, click Proceed with Eligible Devices. Devices are ineligible for this action if they don't meet the system requirements and prerequisites.
4. In the Current Supervisor Password field, enter the current supervisor password, if required. The current password is required if the device's Supervisor Password Status Indicates whether the firmware's supervisor password on a device has been set remotely in the Secure Endpoint Console. Possible values are: Not Set, Set Locally (changes require current password), Set Remotely, and Set Remotely (changes require current password). The field applies to select Windows devices only. is set to Set Locally (changes require current password) or Set Remotely (changes require current password).
5. Select the Remove password checkbox.
6. Click Remove from x devices.

The request is submitted, its status is set to Remove Supervisor Password Requested, and a Supervisor password remove requested event is logged to Event History. The request is deployed to each device on its next successful connection to the Absolute Monitoring Center, which is typically within a few minutes for Absolute Resilience accounts, or within 15 minutes for Absolute Control accounts, assuming the devices are online.

The password is not removed until the device user restarts the device.

To track the progress of your request, see Event History.