Is the Absolute Persistence module in BIOS a privacy threat

Questions
1

I recently bought a new Lenovo Thinkpad with nopre-installed OS, to install Silverblue /Secureblue

After installation I reviewed the BIOS settings and found a module called Absolute Persistence

Obviously I wanted to know what this was and what to do about it . So I checked out their website.

At this point I had visions of ‘remote activation’ and themes similar to the whole Intel IME debate that has been had on this forum ..

My understanding is that this is put in business grade laptops to allow ‘persistent traceability’ of the businesses assets …

I was lucky in that I had ordered a laptop that had no OS installed and therefore the Absolute Persistence module in the BIOS was not ( and never had been ) activated ( but was enabled by default ) . I was able to initially disable it and then permanently disable it using the provided toggle - however reboot led to the PC reacting/’suffering like one of those ‘good’ rogue agents in the movies who have to cut out their body installed tracker devices without anaesthetic and just a blunt spoon …. it did however reboot finally and the Absolute Persistent module had disappeared from the menu.

My reason for posting is to make others aware of this issue , especially as my understanding is that if the module has been activated previously it cannot be de-activated.

So my questions for those with way more knowledge than me

1/ Is the Absolute Persistence module in BIOS a privacy threat for the average PG reader ( using it outside the business/work environments ) - or more colourfully and light-heartedly,are we all likely to wake up some day with our home PCs overtaken by some evil AI via this module as per I, Robot and NS5s

2/ If it is a real world privacy threat , how can those who have this module activated , minimise any privacy risks

3/ Is this a ( further ) reason to consider always trying to buy new laptops without any OS installed

I had not even heard about this until it appeared on my BIOS so hopefully further discussion will help others make informed choices to fit with their threat model- this is apparently installed in 700 million PCs already ..

Have a good day everybody

2

If activated, probably. Sounds very similar to AMT from Intel ME.

By asking the business to deactivate it from their console. Or Absolute themselves, according to this StackExchange reply. Otherwise, don’t steal business laptops.

Sort of… If you buy in person, you can just check to make sure it isn’t on. For online buys, you can attempt contacting the seller and/or returning the device.

3

Thanks for finding the time to reply

I think I was also wondering how much of a problem this would be for PG readers ie how many it might affect …

1/ If the module is only activated by ‘businesses’ who are signed up to Absolute for use in the corporate setting , then it should only affect those who buy ‘ex-business’ PCs - that number may be small

2/ If the module is activated on all Windows installed PCs ( that is , PCs that leave the factory with Windows installed ) , then that would affect a much larger number of PG readers

I don’t know the answer to those questions as I bought mime without an OS installed… and maybe the fact that it has not been raised before makes it more likely that Option 1 is true - anyway , just wanted to share ..

For info for others , it was certainly not mentioned in any of the pre-purchase ( online ) information - but maybe I would in future look at the manufacturer BIOS online prior to payment .

Thanks again for your help