Path to have Absolute enabled but inactive and hardware-backed full disk encryption

Support and Help
,
1

TL;DR:

I’d like to understand if there’s a path to have the Absolute Persistence Module (APM) enabled and use hardware-backed full disk encryption with the latest releases of Ubuntu.
Does anyone know the technical reason for why the APM can’t be enabled and Ubuntu’s “hardware-backed full disk encryption” enabled?

Summary of Models, OS, FDE compatibility and install result

Computer Operating System tpmfde-compat status actual install result
Dell 7440 24.04.3 Live CD advise disable Absolute success
Dell 7440 26.04 Snapshot 3 Live CD advise disable Absolute failed due to Absolute detection
HP EliteBook G1i 14-inch 26.04 Snapshot 3 Live CD advise disable Absolute fail
HP EliteBook G1i 16-inch 26.04 Snapshot 3 Live CD advise disable Absolute fail
HP EliteBook 840 G11 24.04.4 Live CD EV_EFI_BOOT_SERVICES_APPLICATION fail
Lenovo ThinkPad P16S Gen 2 24.04.4 Live CD EV_EFI_BOOT_SERVICES_APPLICATION success
Hp Dragonfly G4 24.04.4 Live CD EV_EFI_BOOT_SERVICES_APPLICATION fail
HP EliteBook 860 G10 24.04.4 Live CD EV_EFI_BOOT_SERVICES_APPLICATION fail
Lenovo X1 G7 24.04.4 Live CD n/a success
Lenovo T14 Gen 6 24.04.4 Live CD n/a success

DETAILS

I am investigating using hardware-backed full disk encryption and have run into a problem where if APM is enabled, some devices can install 24.04.4, but none can install 26.04.
All of these PCs have APM enabled but inactive.
Lenovo and Dell both have an easy way to disable APM in the BIOS.
HP computers on the other hand require running a PowerShell script within Windows to disable APM, and to re-enable it you have to replace the motherboard.
I’ve spent hours hunting for the underlying technical reason, but have only been able to find reports that “it doesn’t work” or “the computer prompts for the recovery key every boot”
AI says something about both Ubuntu and Absolute using PCR 0 and 1, but the citations it gives don’t align.
Does anyone know what needs to be done to allow using hardware-backed full disk encryption while Absolute is enabled?

I’m going to focus on the Dell 7440 and the HP EliteBook G1i 14-inch.

Dell 7440

If I run test-ubuntu-tpmfde-compat in Ubuntu 24.04 LTS live boot CD I get:

This platform may be suitable for FDE if the following problem is fixed:
Absolute was detected to be active and it is advised that this is disabled

However, I’m able to install Ubuntu 24.04.4 LTS with hardware-backed full disk encryption enabled and it works fine. I’ve had no issues for multiple months.

HP EliteBook G1i 14-inch

If I run test-ubuntu-tpmfde-compat in Ubuntu 24.04 LTS live boot CD (or in 26.04 snapshot 3) I get the same result as for the Dell 7440:

This platform may be suitable for FDE if the following problem is fixed:
Absolute was detected to be active and it is advised that this is disabled

When I try to install Ubuntu 24.04.4 LTS with hardware-backed full disk encryption enabled, the installer crashes, and this stacktrace is in the crash report:

2026-02-20 12:30:14,322 ERROR subiquity.server.server:494 top level error
 Traceback (most recent call last):
   File "/snap/ubuntu-desktop-bootstrap/494/bin/subiquity/subiquity/server/controllers/shutdown.py", line 72, in _wait_install
     await self.app.controllers.Install.install_task
   File "/snap/ubuntu-desktop-bootstrap/494/bin/subiquity/subiquitycore/context.py", line 166, in decorated_async
     return await meth(self, **kw)
   File "/snap/ubuntu-desktop-bootstrap/494/bin/subiquity/subiquity/server/controllers/install.py", line 618, in install
     await self.curtin_install(context=context, source=for_install_path)
   File "/snap/ubuntu-desktop-bootstrap/494/bin/subiquity/subiquitycore/context.py", line 166, in decorated_async
     return await meth(self, **kw)
   File "/snap/ubuntu-desktop-bootstrap/494/bin/subiquity/subiquity/server/controllers/install.py", line 393, in curtin_install
     await fs_controller.finish_install(context=context)
   File "/snap/ubuntu-desktop-bootstrap/494/bin/subiquity/subiquitycore/context.py", line 166, in decorated_async
     return await meth(self, **kw)
   File "/snap/ubuntu-desktop-bootstrap/494/bin/subiquity/subiquity/server/controllers/filesystem.py", line 1008, in finish_install
     await snapdapi.post_and_wait(
   File "/snap/ubuntu-desktop-bootstrap/494/bin/subiquity/subiquity/server/snapdapi.py", line 325, in post_and_wait
     raise aiohttp.ClientError(result.err)
 aiohttp.client_exceptions.ClientError: cannot perform the following tasks:
 - Finish setup of run system for "enhanced-secureboot-desktop" (cannot seal the encryption keys: cannot add EFI secure boot and boot manager policy profiles: cannot measure pre-OS: cannot measure boot manager code: unexpected OS-present event type: EV_EFI_ACTION)

If I try to install Ubuntu 25.10 instead, I get “There is no root of trust with the TPM” and that led me to https://bugs.launchpad.net/snapd/+bug/2125409 which calls out that it can work if Absolute is disabled, and eventually I found in the Ubuntu 24.04 release notes the mention of incompatibility.

If I instead try to install Ubuntu 26.04 snapshot 3, I get “not encrypting device storage as checking TPM gave: Absolute was detected to be active and it is advised that this is disabled” on the ‘Encryption and file system’ screen of the installer, and when I actually kickoff the install, it fails with the same error message in the stack trace.

2

Did you see anything in your researches that says that Absolute Persistence Module is proprietary technology? I ask because I found this with a google AI search:

The Absolute Persistence Module is a proprietary security technology developed by Absolute Software (formerly known as Computrace). It is factory-embedded into the firmware (BIOS or UEFI) of over 600 million devices from major manufacturers like Dell, HP, Lenovo, and ASUS.

Not being either a Ubuntu developer or a Canonical software engineer I can only guess that the proprietary nature of this system prevents Canonical from working with it.

Regards

3

Yeah, I’ve spent multiple days investigating and I’m aware that Absolute is proprietary security technology, but I figured that just because it’s proprietary shouldn’t preclude Ubuntu’s hardware-backed full disk encryption from working since Absolute is built-in to most commercial laptops. In my research, including using multiple AI tools, I’ve gleaned that it has something to do with both Ubuntu and Absolute writing to PCR 0, but no bug reports or documentation clearly call that out, the AI replies do call it out, but when they cite sources, those sources don’t align to the statements.

Because I can’t find anything in bug reports, existing documentation, or release notes, I’m hoping Canonical or someone in this community that has investigated this is able to reply with a statement on what makes it incompatible cause I haven’t found anything that calls out the “why?” of the incompatiblity.