Getting started with Playbooks policies

Depending on the Absolute product licenses associated with your account, the Playbooks policy may not be available.

The Playbooks policy allows you to remotely recover a Windows device when a fatal system error prevents it from booting into Windows. The Playbooks feature (also known as Absolute Rehydrate) is able to recover the device because its playbooks run at the firmware level, before the operating system loads. This allows you to make changes to the operating system that might otherwise be prevented when the operating system is non-functional. Note that even if a device's operating system is functioning normally, you can run a playbook to repair or recover a device.

To learn more about the benefits, use cases, and capabilities of Playbooks, review the Absolute Rehydrate data sheet.

In the current release, the following playbooks are available:

  • File operations (add or delete)
  • Restore from image
  • Run script
  • Set/remove registry keys

Learn more about each playbook

When you activate the Playbooks policy in a policy group:

The PER component then provisions the device by completing the following actions:

  1. Installs the Absolute Bootloader and its supporting files to the EFI System Partition.
  2. Changes the boot order to ensure that each time the device is restarted, the UEFI firmware runs the Absolute Bootloader first.
  3. Restarts the device.

    If a user is logged in when the restart is triggered, a warning message is displayed. The user is given the option to restart immediately or postpone it for two hours. If they postpone, they can manually restart the device at any time during the two-hour window.

  4. Downloads and applies the Playbooks policy configuration to the Absolute Bootloader.

  5. Restarts the device.

    If a user is logged in when the restart is triggered, a warning message is displayed. The user is given the option to restart immediately or postpone it for two hours. If they postpone, they can manually restart the device at any time during the two-hour window.

    When this step is complete, the device's Playbooks status is updated to Enabled and the device is ready to run system-initiated playbooks.

  6. Creates a recovery partition on the device's hard disk drive (HDD) and installs the Absolute WinPE Windows Preinstallation Environment (WinPE) is a lightweight version of Windows that can be used to recover offline devices. image to the partition.

    This step may take up to 24 hours to complete.

When all steps are complete, the device is ready to run both system- and user-initiated playbooks. You can view the provisioning status of a device on its Device Details page.

Going forward, the PER component ensures that the Absolute Bootloader is always present on the device, untampered, and boots first. It also maintains a secure connection to the Absolute Monitoring Center to receive playbook requests and send status updates.

The Playbooks policy is supported on Windows devices that meet the following requirements:

System component Requirement/Details
Operating system
  • Windows 11 operating system

    Microsoft Surface devices are not supported.
CPU architecture

  • x86_64 (x64)

    ARM based devices are not supported.
Trusted Platform Module (TPM)

  • TPM 2.0 is enabled

    In the current release, Firmware TPM (fTPM) is not supported.
Firmware/BIOS settings
  • In the device's firmware/BIOS settings:

    • To run playbooks, Secure Boot can be enabled or disabled.

      Note that if Secure Boot is enabled, and the Allow Microsoft 3rd Party UEFI CA setting (or an equivalent) is available in Secure Boot settings, the setting must also be enabled.

      On most Windows 11 devices, Secure Boot is enabled by default, because it keeps your system protected from malware and unauthorized software during the boot process. Therefore, it is best practice to enable Secure Boot.

      To check the status of Secure Boot, add the Boot Info > Secure Boot column to a device report.

      For information about checking the status of Secure Boot and enabling it if it's disabled, see the applicable device manufacturer documentation.

    • If the Boot Order Lock setting is available on Lenovo ThinkPad devices, the setting is disabled
Firmware Persistence version The version number of the Absolute Persistence module, which is embedded in the firmware of a Windows device by the device manufacturer. The module is responsible for monitoring the health of the Secure Endpoint Agent and restoring it if it's missing, damaged, or tampered with. Possible versions are 1.0 and 2.x.x.x.
  • 2.x.x.x or higher

    To determine your devices' Firmware Persistence version, go to each device's Device Details page, or add the column to a device report.

    Alternatively, if you have physical access to a device, you can download the Persistence Status Monitor tool to the device, open the tool with elevated administrator privileges, and run the following command:

    AbtPS -version
Secure Endpoint Agent version

  • 10.0.0.3 or higher
Internet connection

  • To run user-initiated playbooks, an internet connection at the firmware level is required. If the device is not using a physical ethernet cable, Wi-Fi is supported.

    Absolute has tested and validated user-initiated playbooks using a WPA- or WPA2-secured Wi-Fi network. Other authentication methods, such as WEP and OPEN may also be compatible.
    To run user-initiated playbooks using a WPA3-secured Wi-Fi network, contact Absolute Technical Support for assistance.

We recommend that you disable the Windows Fast Start-up feature on devices with an enabled Playbooks policy. If this feature is enabled, a device may become stuck in a restart loop if the Absolute Bootloader encounters an error that corrupts a file. The corrupted file would need to be deleted to stop the restart loop.

To disable fast start-up on a device, you can do one of the following:

  • Go to Control Panel > Power Options > System Settings and disable the Turn on fast start-up setting, or

  • Open a Command Prompt window as an administrator and run the following command:

powercfg /h off

For information about other methods for disabling fast start-up, such as in Group Policy, see Windows documentation.

Before activating the Playbooks policy in a policy group, you can check if any devices in the group do not meet the system requirements for Playbooks. You can also review a report showing the specific requirements that are not met for each device.

To check eligibility:

  1. Log in to the Secure Endpoint Console as a user with the Manage permission for Policies.
  2. On the navigation bar, click Policies > Policy Groups.
  3. On the Policy Groups sidebar, click the policy group that you want to check. The policy group opens in the work area.

  4. If a icon shows to the left of the activation slider, some devices in the policy group do not meet the system requirements for Playbooks. A device count shows next to the icon.

    To view the ineligible devices:

    1. Click the icon to open the Devices unable to run Playbooks page. The page is filtered to show Active devices in the policy group that have a Playbook > Status set to Not enabled or Not supported.

    2. Review the information in the Playbook > Status details report column for each device.

      Possible values are:

      • Not provisioned
        • The Playbooks policy is not activated, or
        • The policy is activated in the console, but the device is offline, or
        • The policy is activated, but the device is not yet provisioned to run playbooks. A restart may be required.
      • Persistence 2.0 version not met
      • Agent version update required
      • TPM 2.0 not enabled
      • 3rd-party CA must be active when Secure Boot is enabled
      • Windows 10 and above not met
      • x86_64 CPU architecture not met

    3. [Optional] To troubleshoot ineligible devices, see the next section.

    4. When you're finished reviewing the ineligible devices, click to close the page.

To help you troubleshoot ineligible (unsupported) devices, you can view additional system information about each device by adding the following columns to the Devices unable to run Playbooks page and reviewing the values. These report columns can also be added to any device report.

If the value required for Playbooks eligibility is not shown in the column, tips for resolving the issue are provided, where applicable.

Report column Required value for Playbooks eligibility
Agent version

10.0.0.3 or higher

If a lower version shows, one of the following applies:

  • Automatic agent updates are disabled for your account, and the device's policy group is assigned to a lower agent version.

  • The device has not yet checked in to download the latest agent (the device may be offline)
OS > Name Microsoft Windows 10 or higher
CPU > Architecture

Any variant of an x86_64 CPU architecture

If an ARM-based architecture is reported, the device is not eligible.
Firmware Persistence > Version

2.x.x.x or higher

If version 1.0 shows, Firmware Persistence cannot be upgraded. The device is not eligible.

TPM >

  • Enabled

  • Owned

  • Activated

Yes

If No is reported, see manufacturer documentation for details about enabling the associated TPM settings in the BIOS.
TPM > Spec Version

2.0 or higher

If 1.2 is reported, see manufacturer documentation for details about upgrading TPM to version 2.0.
Boot Info > Boot Order Locked

No, or No data

If Yes is reported, see Lenovo documentation for details about disabling the Boot Order Locked setting in the BIOS.
Boot Info > Microsoft 3rd PartyUEFI CA

Yes or No

The value in this column does not necessarily indicate eligibility. Both Yes (enabled) and No (disabled) are supported. However, if No is reported, and 3rd-party CA must be active when Secure Boot is enabled shows in the Status details column, it indicates that Secure Boot is enabled, but the Allow Microsoft 3rd Party UEFI CA setting (or an equivalent) is disabled. Therefore, the device is not eligible. See the article Manual install of Microsoft 3rd Party UEFI CA in the Knowledge Base for more information about resolving this issue.

To activate the Playbooks policy:

  1. Log in to the Secure Endpoint Console as a user with the Manage permission for Policies.
  2. On the navigation bar, click Policies > Policy Groups.
  3. On the Policy Groups sidebar, click the policy group that you want to update. The policy group opens in the work area.
  4. Next to Playbooks, click the activation slider to set it to On. Note that if the slider is grayed out, an agent upgrade is required before you can activate the policy.

    The policy is activated, and a Playbooks policy activated event is logged to Event History.

On each device's next connection to the Absolute Monitoring Center, the PER component is deployed and activated.

Device provisioning takes up to 24 hours, and two device reboots are required to complete the process.

After a device is fully provisioned, it is ready to run both system- and user-initiated playbooks. Check a device's provisioning status

Deactivating a policy group's Playbooks policy sends deprovisioning instructions to the policy group's devices on their next connection to the Absolute Monitoring Center.

A device reboot is required to complete the deprovisioning process.

The Secure Endpoint Agent deprovisions a device by performing the following actions:

  • Removes the Absolute Bootloader, the WinPE image, and all supporting files that were added during provisioning
  • Restores the default boot order
  • Deletes all files in the recovery partition
  • Removes the PER component

When the Playbooks policy is deactivated, and a Run playbook request is pending , the request fails and a Playbook canceled or Playbook failed event is logged to Event History. If the request is already in progress on the device, the playbook continues to run and a Playbook completed event is logged.

To deactivate the Playbooks policy:

  1. Log in to the Secure Endpoint Console as a user with the Manage permission for Policies.
  2. On the navigation bar, click Policies > Policy Groups.
  3. On the Policy Groups sidebar, click the policy group that you want to update. The policy group opens in the work area.
  4. Next to Playbooks, click the Activation slider to set it to Off.

    The policy is deactivated, and a Playbooks policy deactivated event is logged to Event History.

The device is deprovisioned after its next connection to the Absolute Monitoring Center.