Guys, on all my testing device models (corporate HP and DELL), the Ubuntu 26.04 Snapshot 3 has been successfully installed in TPM FDE mode.
You need to disable Absolute:
On DELL, it is Easy, just navigate to the firmware’s security settings and set Absolute to Disable, don’t select permanent disable, or to enable back, you will need to visit the service center .
On HP, it is harder; you need to install Windows or get WindowsPE, since PowerShell commands are based on WMIC.
There is no single solution; you must read available firmware parameters and call the best one. On some models, you can use disable Absolute, on others, only permanent disable is available.
Don’t forget to initiate TPM cleanup on next boot, or Ubuntu installer will suggest to initiate the same option, otherwise it will not beable to enable TPM FDE.
That’s all, good luck!
Why isn’t it enough to just have the Absolute module in the “Inactive” state? In this state, he shouldn’t do anything, right? TPM FDE on Ubuntu worked like this before, so why not now?
I also wouldn’t want to permanently lose the ability to use it at some point in the future.
Because, if you try to install Ubuntu in TPM FDE mode it will warn that you must disable Absolute, even if it is in inactive state, and if you ignore the warning and finish the installation successfully, after reboot you will get the TPM lock, since even in inactive state, Absolute is trying to inject it’s rootkit into OS Bootloader, Secure Boot reports that something changed in PCR7 and you will get a lockout, this is how Absolute works, the inactive state means that it’s working but not configured.
Please distinguish, Absolute have two states, Disabled, which means you can enable it back, and Permanently Disabled, which means, only service center expert can enable it back.
Active and Inactive is about subscription and configuration.
Experimental TPM-backed FDE already worked in 24.04.3 LTS and Absolute module in “Inactive” state did not interfere with it. After reboot, the disk automatically unlocked normally and the laptop booted without any problems. Therefore, I would expect that inactive Absolute module (even if enabled) has no reason to try to inject something somewhere. But I don’t see deeper into this topic, I just tried what I could.
What solved the issue for me (autoinstall, non interactive installation process):
First I got the problem “Subiquity/apply_autoinstall_config: hybrid layout (with encryption) is not available: tpm-hierarchies-owned” - Solved by clearing TPM in BIOS.
Then I got the issue: “Error: shim protocols not found” after the installation went through - Solved by removing fast boot.
After that the computer boots up completely fine, with full disk encryption, working perfectly.
Only issue I am having now, is to somehow save the recovery key for the encryption, so that I can send it to AD through ldap.
Since snapd –show-key is no longer supported on Ubuntu 25.10+, I can’t pull the recovery key that way. Manually retrieving it through Security Center is not an option for large‑scale deployments.
I’m currently exploring whether it’s possible to generate a new recovery key and extract it through the snapd REST API instead.
No success grabbing the recovery key through CLI so far.
WIth latest beta image for resolute being out, with some manual update, you are able to test the latest state of our TPM/FDE detection. We would be really interested to get your feedback and remaining configurations where some adjustements are needed.
All the instructions are available in this new poll. Thanks a lot in advance for your participation!
TPM FDE works perfectly on corporate HP and Dell laptops, expect two cases:
In case of any HP EliteBook, ProBook and ZBook (all models are Ubuntu certified) the Absolute software was in Inactive state, and it crushing the installation, to disable it we need to use an WMI based commans in PowerShell. But the painful point is that in the last two generations, the “disable” option is gone, we can use only “permanently disable” option.
Because of Snap Kernel (I tested Beta image with Linux 7 kernel) I faced a “dummy output” for audio devices on latest two generations of laptops, older ones aren’t affected.
.