Getting started with Playbooks policies

System requirements

The Playbooks policy is supported on Windows devices that meet the following requirements:

Windows 11 or 10 operating system

Microsoft Surface devices are not supported.
X86 architecture

ARM-based devices are not supported.
Firmware Persistence version The version number of the Absolute Persistence module, which is embedded in the firmware of a Windows device by the device manufacturer. The module is responsible for monitoring the health of the Secure Endpoint Agent and restoring it if it's missing, damaged, or tampered with. Possible versions are 1.0 and 2.x.x.x. 2.x.x.x or higher
To determine your devices' Firmware Persistence version, go to each device's Device Details page, or add the column to a device report.
Alternatively, if you have physical access to a device, you can download the Persistence Status Monitor tool to the device, open the tool with elevated administrator privileges, and run the following command:
AbtPS -version

In the device's firmware/BIOS settings:
- Trusted Platform Module (TPM) 2.0 is enabled
  In the current release, Firmware TPM (fTPM) is not supported.
- To run playbooks, Secure Boot can be enabled or disabled.
  Note that if Secure Boot is enabled, and the Allow Microsoft 3rd Party UEFI CA setting (or an equivalent) is available in Secure Boot settings, the setting must also be enabled.
  On most Windows 11 devices, Secure Boot is enabled by default, because it keeps your system protected from malware and unauthorized software during the boot process. Therefore, it is best practice to enable Secure Boot.
  For information about checking the status of Secure Boot and enabling it if it's disabled, see the applicable device manufacturer documentation.
- If the Boot Order Lock setting is available on Lenovo ThinkPad devices, the setting is disabled

The device is running Secure Endpoint Agent 10.0.0.3 or higher
To run user-initiated playbooks, an internet connection at the firmware level is required. If the device is not using a physical ethernet cable, Wi-Fi is supported.

Absolute has tested and validated user-initiated playbooks using a WPA- or WPA2-secured Wi-Fi network. Other authentication methods, such as WEP and OPEN may also be compatible.
To run user-initiated playbooks using a WPA3-secured Wi-Fi network, contact Absolute Technical Support for assistance.

About the Playbooks policy

When you activate the Playbooks policy in a policy group:

A unique passcode is generated and added to the device's Summary page in Device Details Learn more
The PER component A lightweight software component of the Secure Endpoint Agent that is responsible for managing the supervisor password on a device when a Manage supervisor password request is processed. of the Secure Endpoint Agent is downloaded and activated on each device after the device's next successful connection to the Absolute Monitoring Center.
Additional files are also downloaded, including:
- Absolute Bootloader
- Absolute WinPE Windows Preinstallation Environment (WinPE) is a lightweight version of Windows that can be used to recover offline devices. image
These files are required to run playbooks at the firmware-level. After each device reboot, the Bootloader checks for a new playbook request. If one exists, it passes the playbook instructions to the WinPE image, which runs the playbook.
When activating the policy in a policy group that contains many Windows devices, downloads are staggered to prevent network congestion.

The PER component then provisions the device by completing the following actions:

Installs the Absolute Bootloader and its supporting files to the EFI System Partition.
Changes the boot order to ensure that each time the device is restarted, the UEFI firmware runs the Absolute Bootloader first.
Restarts the device.
If a user is logged in when the restart is triggered, a warning message is displayed. The user is given the option to restart immediately or postpone it for two hours. If they postpone, they can manually restart the device at any time during the two-hour window.
Downloads and applies the Playbooks policy configuration to the Absolute Bootloader.
Restarts the device.

If a user is logged in when the restart is triggered, a warning message is displayed. The user is given the option to restart immediately or postpone it for two hours. If they postpone, they can manually restart the device at any time during the two-hour window.

When this step is complete, the device's Playbooks status is updated to Enabled and the device is ready to run system-initiated playbooks.
Creates a recovery partition on the device's hard disk drive (HDD) and installs the Absolute WinPE Windows Preinstallation Environment (WinPE) is a lightweight version of Windows that can be used to recover offline devices. image to the partition.
This step may take up to 24 hours to complete.

When all steps are complete, the device is ready to run both system- and user-initiated playbooks. You can view the provisioning status of a device on its Device Details page.

Going forward, the PER component ensures that the Absolute Bootloader is always present on the device, untampered, and boots first. It also maintains a secure connection to the Absolute Monitoring Center to receive playbook requests and send status updates.

Activating the policy

To activate the Playbooks policy:

Log in to the Secure Endpoint Console as a user with the Manage permission for Policies.
On the navigation bar, click Policies > Policy Groups.
On the Policy Groups sidebar, click the policy group that you want to update. The policy group opens in the work area.
Next to Playbooks, click the activation slider to set it to On.
The policy is activated, and a Playbooks policy activated event is logged to Event History.

On each device's next connection to the Absolute Monitoring Center, the PER component is deployed and activated.

Device provisioning takes up to 24 hours, and two device reboots are required to complete the process. Note that if a device user has set a PIN on their device, they may need to set it up again after the second reboot.

After a device is fully provisioned, it is ready to run both system- and user-initiated playbooks. Check a device's provisioning status

Deactivating the policy

Deactivating a policy group's Playbooks policy sends deprovisioning instructions to the policy group's devices on their next connection to the Absolute Monitoring Center.

A device reboot is required to complete the deprovisioning process. Note that if a device user has set a PIN on their device, they will need to set it up again after the reboot.

The Secure Endpoint Agent deprovisions a device by performing the following actions:

Removes the Absolute Bootloader, the WinPE image, and all supporting files that were added during provisioning
Restores the default boot order
Deletes all files in the recovery partition
Removes the PER component

Note that if a device user has set a PIN on their device, they may need to set it up again after the device is deprovisioned.

To deactivate the Playbooks policy:

Log in to the Secure Endpoint Console as a user with the Manage permission for Policies.
On the navigation bar, click Policies > Policy Groups.
On the Policy Groups sidebar, click the policy group that you want to update. The policy group opens in the work area.
Next to Playbooks, click the Activation slider to set it to Off.
The policy is deactivated, and a Playbooks policy deactivated event is logged to Event History.

The device is deprovisioned after its next connection to the Absolute Monitoring Center.