Getting started with Playbooks policies

System requirements

The Playbooks policy is supported on Windows devices that meet the following requirements:

Windows 11 or 10 operating system

Microsoft Surface devices are not supported.
X86 architecture

ARM-based devices are not supported.
Firmware Persistence version The version number of the Absolute Persistence module, which is embedded in the firmware of a Windows device by the device manufacturer. The module is responsible for monitoring the health of the Secure Endpoint Agent and restoring it if it's missing, damaged, or tampered with. Possible versions are 1.0 and 2.x.x.x. 2.x.x.x or higher
To determine your devices' Firmware Persistence version, go to each device's Device Details page, or add the column to a device report.
Alternatively, if you have physical access to a device, you can download the Persistence Status Monitor tool to the device, open the tool with elevated administrator privileges, and run the following command:
AbtPS -version

In the device's firmware/BIOS settings:
- Trusted Platform Module (TPM) 2.0 is enabled
  In the current release, Firmware TPM (fTPM) is not supported.
- If Secure Boot is enabled, the Allow Microsoft 3rd Party UEFI CA setting (if available) is enabled in Secure Boot settings
- On Lenovo ThinkPad devices, the Boot Order Lock setting (if available) is disabled

The device is running Secure Endpoint Agent 9.2.0.3 or higher

A physical ethernet network connection is required to run some playbooks. Learn more

About the Playbooks policy

When you activate the Playbooks policy in a policy group:

A unique passcode is generated and added to the device's Summary page in Device Details Learn more
The PER component A lightweight software component of the Secure Endpoint Agent that is responsible for managing the supervisor password on a device when a Manage supervisor password request is processed. of the Secure Endpoint Agent is downloaded and activated on each device after the device's next successful connection to the Absolute Monitoring Center.
Additional files are also downloaded, including:
- Absolute Bootloader
- Absolute WinPE Windows Preinstallation Environment (WinPE) is a lightweight version of Windows that can be used to recover offline devices. image
These files are required to run playbooks at the firmware-level. After each device reboot, the Bootloader checks for a new playbook request. If one exists, it passes the playbook instructions to the WinPE image, which runs the playbook.
When activating the policy in a policy group that contains many Windows devices, downloads are staggered to prevent network congestion.

The PER component then provisions the device by completing the following actions:

Installs the Absolute Bootloader and its supporting files to the EFI System Partition.
Changes the boot order to ensure that each time the device is restarted, the UEFI firmware runs the Absolute Bootloader first.
Restarts the device.
If a user is logged in when the restart is triggered, a warning message is displayed. The user is given the option to restart immediately or postpone it for two hours. If they postpone, they can manually restart the device at any time during the two-hour window.
Downloads and applies the Playbooks policy configuration to the Absolute Bootloader.
Restarts the device.
Creates a recovery partition on the device's hard disk drive (HDD) and installs the Absolute WinPE Windows Preinstallation Environment (WinPE) is a lightweight version of Windows that can be used to recover offline devices. image to the partition.

These steps may take up to 24 hours to complete.

When these steps are complete, the device is ready to run playbooks. You can view the provisioning status of a device on its Device Details page.

Going forward, the PER component ensures that the Absolute Bootloader is always present on the device, untampered, and boots first. It also maintains a secure connection to the Absolute Monitoring Center to receive playbook requests and send status updates.

Activating the policy

To activate the Playbooks policy:

Log in to the Secure Endpoint Console as a user with the Manage permission for Policies.
On the navigation bar, click Policies > Policy Groups.
On the Policy Groups sidebar, click the policy group that you want to update. The policy group opens in the work area.
Next to Playbooks, click the Activation slider to set it to On.
The policy is activated, and a Playbooks policy activated event is logged to Event History.

On each device's next connection to the Absolute Monitoring Center, the PER component is deployed and activated, and the device is provisioned.

Device provisioning takes up to 24 hours, and two device reboots are required to complete the process. Playbooks can't be submitted on a device until it is fully provisioned. Check a device's provisioning status

Deactivating the policy

Deactivating a policy group's Playbooks policy sends deprovisioning instructions to the policy group's devices on their next connection to the Absolute Monitoring Center.

A device restart is required to complete the deprovisioning process.

The Secure Endpoint Agent deprovisions a device by performing the following actions:

Removes the Absolute Bootloader, the WinPE image, and all supporting files that were added during provisioning
Restores the default boot order
Deletes all files in the recovery partition
Removes the PER component

To deactivate the Playbooks policy:

Log in to the Secure Endpoint Console as a user with the Manage permission for Policies.
On the navigation bar, click Policies > Policy Groups.
On the Policy Groups sidebar, click the policy group that you want to update. The policy group opens in the work area.
Next to Playbooks, click the Activation slider to set it to Off.
The policy is deactivated, and a Playbooks policy deactivated event is logged to Event History.

The device is deprovisioned after its next connection to the Absolute Monitoring Center.