For use with general public

HP Sure Click Enterprise 4.2

UPGRADE GUIDE

ii

Notices

Copyright © 2020 Bromium, Inc. All rights reserved. HP Development Company, L.P. The

information contained herein is subject to change without notice. The only warranties for HP

products and services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an additional warranty.

HP shall not be liable for technical or editorial errors or omissions contained herein.

The software and accompanying written materials are protected by U.S. and International

copyright law. Unauthorized copying of the software, including software that has been modified,

merged, or included with other software, or other written material is expressly forbidden. This

software is provided under the terms of a license between HP and the recipient, and its use is

subject to the terms of that license. Recipient may be held legally responsible for any copyright

infringement that is caused or incurred by recipient’s failure to abide by the terms of the license

agreement. US GOVERNMENT RIGHTS: Terms and Conditions Applicable to Federal Governmental

End Users. The software and documentation are “commercial items” as that term is defined at

FAR 2.101. Please refer to the license agreement between HP and the recipient for additional

terms regarding U.S. Government Rights.

The software and services described in this manual may be protected by one or more U.S. and

International patents.

DISCLAIMER: Bromium, Inc., makes no representations or warranties with respect to the contents

or use of this publication. Further, Bromium, Inc., reserves the right to revise this publication and

to make changes in its contents at any time, without obligation to notify any person or entity of

such revisions or changes.

Intel® Virtualization Technology, Intel® Xeon® processor 5600 series, Intel® Xeon® processor E7

family, and the Intel® Itanium® processor 9300 series are the property of Intel Corporation or its

subsidiaries in the U.S. and/or other countries.

Adobe and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems

Incorporated in the United States and/or other countries.

Bromium, the Bromium logo, Bromium micro-VM®, Bromium micro-virtualization, Bromium µVM

and Trustworthy by Design are registered trademarks, and HP Sure Click Enterprise, Bromium

Secure Browser, Bromium Secure Files, Bromium Secure Monitoring are trademarks of Bromium,

Inc.

All other trademarks, service marks, and trade names are the property of their respective

owners. Bromium, Inc., disclaims any proprietary interest in the marks and names of others.

29 July 2020

iii

Notices ................................................................................................................... ii

Introduction ........................................................................................................... 2

Glossary ......................................................................................................................................... 2

Overview of Upgrade Steps ....................................................................................................... 2

Bromium Secure Platform End Of Life Notice ........................................................................ 2

Upgrade Considerations ............................................................................................................. 3

Upgrading the Controller ..................................................................................... 4

Controller Upgrade Considerations .................................................................... 5

Monitoring Catalog Data Retention .......................................................................................... 5

Device Name / Duplicates .......................................................................................................... 5

Dynamic Device Groups .............................................................................................................. 5

(All Devices) ..................................................................................................................................................................................... 6

(Ungrouped) .................................................................................................................................................................................... 6

Example – Only (Ungrouped) .................................................................................................................................................. 7

Example – Not Using (Ungrouped) ........................................................................................................................................ 8

Example – (Ungrouped) and Custom Device Groups ..................................................................................................... 9

Product Name ............................................................................................................................................................................. 10

Secure Browsing Extensions (SBX) ........................................................................................ 10

Advanced Policy Settings ......................................................................................................... 11

MimeHandler.Custom.n.xxx Parameter ............................................................................................................................ 11

Untrusted.IngressApplicationsSettings Parameter (deprecated in SCE 4.2) ...................................................... 11

Upgrading Endpoint Devices ............................................................................ 12

Unchanged Paths....................................................................................................................... 13

Installation with Microsoft Virtualization Based Security (VBS) ........................................ 14

Deprecated Support for Software .......................................................................................... 15

Browser Compatibility .............................................................................................................. 16

Firefox SBX ................................................................................................................................................................................... 16

Microsoft Edge SBX ................................................................................................................................................................... 16

Exclusions ................................................................................................................................... 17

Upgrade Considerations ......................................................................................................................................................... 17

File Exclusions – BSP and SCE .............................................................................................................................................. 18

File Exclusions BSP Only: ........................................................................................................................................................ 19

Directory Exclusions – BSP and SCE ................................................................................................................................... 19

Directory Exclusions – BSP Only .......................................................................................................................................... 19

Firewall Exclusions ................................................................................................................................................................... 19

For use with general public 2

Introduction

The purpose of this guide is to aid customers in migrating existing Bromium Secure Platform

deployments to HP Sure Click Enterprise 4.2.

Glossary

The following abbreviations are used throughout this document:

• BSP – Bromium Secure Platform

• SCE – HP Sure Click Enterprise

• SBX – Secure Browser Extension

Overview of Upgrade Steps

The recommended upgrade path from Bromium Secure Platform to HP Sure Click Enterprise is:

1. First upgrade all Bromium Controllers to Sure Controller 4.2.

2. Second uninstall pre-existing versions of Bromium Secure Platform from endpoint

devices.

3. Third install Sure Click Enterprise on endpoint devices.

In-place upgrades to SCE 4.2 on devices are only supported for devices running BSP 4.1.6 or later

or SCE 4.1.8 Patch 1 or later.

Bromium Secure Platform End Of Life Notice

Bromium Secure Platform will become EOL on November 8, 2020 at which time new hotfixes and

code updates will no longer be released. Bromium Secure Platform will continue to be supported

for assistance with configuration and deployment issues until March 31, 2021. HP recommends

that all customers complete their upgrade to HP Sure Click Enterprise 4.2 prior to March 31,

2021. For a complete list of deprecated features, please refer to the Knowledge Base:

https://support.bromium.com/s/article/Deprecated-Features.

For use with general public 3

Upgrade Considerations

The following considerations must be factored into plans for upgrading from Bromium Secure

Platform to HP Sure Click Enterprise:

• Controller considerations:

o Monitoring catalog data retention

o Non-domain-joined devices

o Dynamic device groups

o Bromium-related AD GPOs

o Custom ingress applications

• Endpoint device considerations:

o Product installation paths

o Desktop Console HP Branding and updates to user experience

o Product registry keys

o Bromium-related scripts

o Deprecated support for software

o Firefox browser upgrade

o Edge browser upgrade

o Exclusions

o VDI Deployments

For use with general public 4

Upgrading the Controller

Upgrading Bromium Controller to Sure Controller before installing SCE on devices ensures:

• Dynamic device group memberships based on the Product Version rule are compatible

with endpoint devices when they are upgraded to SCE

• Access to the policy settings to manage new features of SCE endpoints

• Access to the latest features and enhancements in the Sure Controller

Upgrading Bromium Controller to Sure Controller 4.2 after upgrading endpoint devices may

result in:

• Duplicate devices

• Devices losing group membership (and therefore potentially losing license / policy

assignments)

To avoid any issues, it is strongly recommended to upgrade all Bromium Controllers to Sure

Controller 4.2 before installing SCE on endpoint devices.

For more information about how to upgrade the controller, refer to the Knowledge Base:

https://support.bromium.com/s/article/Upgrading-BEC Always back up the Sure Controller

database before upgrading.

Warning: If the license key is applied within a policy that is only assigned to a Dynamic Group

dependent upon Product Version and devices are upgraded to SCE before the Controller, SCE

devices will not be a member of that group and will not have the associated policies and

license key applied. This could result in SCE endpoint devices becoming disabled and

unlicensed during the upgrade.

Upgrade the Controller first to ensure backwards compatibility of Dynamic Groups which will

ensure devices remain licensed during the upgrade to SCE.

For use with general public 5

Controller Upgrade Considerations

The functionality and organization of the controller remains largely unchanged in Sure Controller

4.2. This section describes changes that require consideration before upgrading the controller.

Monitoring Catalog Data Retention

The Monitoring feature of BSP was deprecated on February 1, 2020. As such, all Monitoring policy

settings and configurations should be deleted prior to upgrading to Sure Controller 4.2.

Deletion of any catalogs should be configured at least 24 hours before upgrading to Sure

Controller 4.2. From the controller navigation pane click Settings and under Monitoring Catalog

Data Retention ensure Delete catalog entries is selected.

Note: The Monitoring Catalog Data Retention setting will be removed after the upgrade to

4.2.1. Entries will continue to be deleted automatically as per this setting.

Device Name / Duplicates

Endpoint devices which are not domain-joined will appear as duplicates in the Sure Controller

after upgrading the device to SCE. Sure Controller will display each upgraded endpoint as an

offline Isolation endpoint and an online Sure Click endpoint. This issue only occurs for endpoints

which are not joined to an Active Directory domain.

If you have configured the Device Data Retention options in the controller settings, offline devices

will be archived and deleted automatically. Alternatively, you can filter the Devices list by

Connectivity Status and/or Isolation Version to identify the offline Isolation endpoints and then

select the relevant endpoint devices and archive them manually.

Dynamic Device Groups

Bromium Controller contains a built-in group named “(Ungrouped)”. Sure Controller 4.2 adds a

new group named “(All Devices)” and begins the phase out of (Ungrouped). The transition from

(Ungrouped) to (All Devices) has been carefully designed to ensure no negative impacts from

these changes occur from the upgrade. Full details are provided in the following sections.

For use with general public 6

(All Devices)

A new dynamic device group named “(All Devices)” is built in to Sure Controller. This group will

contain all devices registered with Sure Controller regardless of other group memberships.

Therefore, any policy assigned to this group will be applied to all endpoint devices. This provides

a convenient group for applying a license key. By default, no policies are assigned to this group.

If a device group named “(All Devices)” already exists, the Sure Controller upgrade will

automatically rename the group to “(All Devices) 2” during the upgrade process to ensure no

conflict with the new built-in (All Devices) group.

(Ungrouped)

The Bromium Controller group named “(Ungrouped)” will be deprecated in a future release but

remains available and supported in the initial release of Sure Controller 4.2. Customers using

(Ungrouped) to manage devices should develop plans to migrate away from its use as soon as

possible.

During the upgrade of Bromium Controller to Sure Controller 4.2, changes affecting the group

(Ungrouped) will be applied as follows:

If Bromium Controller configuration is… Then result after Sure Controller upgrade is…

(Ungrouped) is the only device group. (Ungrouped) is replaced by (All Devices) and

all policies previously assigned to

(Ungrouped) will be assigned to (All Devices).

The group “(Ungrouped)” is deleted and no

longer available.

(Ungrouped) is not the only device group and

(Ungrouped) has no policies assigned.

(Ungrouped) is deleted and no longer

available.

(Ungrouped) has policies assigned with or

without group members.

(Ungrouped) is not changed and continues

working as it did in Bromium Controller 4.1.

Note: The built-in group named “(Ungrouped)” is due to be deprecated in Sure Controller.

Although it is still available in the initial 4.2 Controller release, it will be removed in a future

release.

For use with general public 7

Example – Only (Ungrouped)

In this example, (Ungrouped) is the only device group present. The first image illustrates

(Ungrouped) in Bromium Controller prior to upgrade. The second image illustrates the

replacement by (All Devices) in Sure Controller.

For use with general public 8

Example – Not Using (Ungrouped)

In this example, custom device groups have been created and are in use. (Ungrouped) is not in

use. The first image illustrates (Ungrouped) in Bromium Controller prior to upgrade. The second

image illustrates (Ungrouped) has been deleted and (All Devices) has been created in Sure

Controller.

For use with general public 9

Example – (Ungrouped) and Custom Device Groups

In this example, both (Ungrouped) and custom device groups are in use. The first image

illustrates (Ungrouped) in Bromium Controller prior to upgrade. The second image illustrates

(Ungrouped) remains intact with its original policies and members and (All Devices) has been

created in Sure Controller.

For use with general public 10

Product Name

In Sure Controller, the Product column is one of the default columns displayed when Devices are

listed. Product, previously named Isolation is now named Sure Click. Dynamic Device groups

created using the rule Product is Isolation will automatically be converted to Product is Sure Click

and will be backwards compatible to contain both Isolation and Sure Click endpoint devices.

Secure Browsing Extensions (SBX)

If using Active Directory Group Policy Objects (GPOs) to manage the Bromium Secure Browsing

Extension (SBX) for Chrome, the GPO configurations should be retired after upgrading the

controller. The preferred method is to manage the extensions using the Sure Controller policies.

If AD GPO is still required to manage the Chrome SBX extension, the GPO should be updated to

reference the new HP Sure Click extension GUID: gpmlagmcbcnjhkdjiofoenkfbaclgjkk.

In SCE 4.2, SBX is also loaded into the HP Secure Browser to support the new HP Identity

Protection feature (see Release Notes or the Online Help system for more information).

For use with general public 11

Advanced Policy Settings

Most existing BSP policies are compatible with devices that have been upgraded to SCE and

should require no modification. However, there are a few exceptions relating to the following

advanced parameters:

• MimeHandler.Custom.n.xxx

• Untrusted.IngressApplicationsSettings

If the existing BSP or SCE 4.1.x policies do not contain these advanced parameters then no

further action is required.

MimeHandler.Custom.n.xxx Parameter

Custom mime handlers are used to override the default handling of specific types of files. In SCE,

custom mime handlers are replaced by Untrusted.FileTypePolicies and

Untrusted.FileTypeGroups parameters.

For more information, please contact HP Support (support@bromium.com) prior to upgrading

endpoint devices to SCE.

Untrusted.IngressApplicationsSettings Parameter (deprecated in SCE 4.2)

Custom Ingress Applications applied with Untrusted.IngressApplicationsSettings

are no longer supported in SCE 4.2.

Note: SCE endpoints will report an “Unsupported configuration” error to the Sure Controller

and will fail to initialize if Untrusted.IngressApplicationsSettings remains in

the policy. You must remove the advanced setting from your policies in order for endpoints to

successfully initialize.

For the latest information on supporting custom ingress applications, visit the HP Security

Knowledge Base https://support.bromium.com/s/article/Controller-Management-Action-

Unsupported-configuration or contact HP Support (support@bromium.com) prior to upgrading

endpoint devices to SCE.

For use with general public 12

Upgrading Endpoint Devices

It is recommended that previous versions of BSP are removed from devices before installing SCE

as the installation path of SCE is determined by whether the installation is a new installation or an

upgrade of an existing endpoint device. Uninstalling previous versions of BSP prior to installing

SCE ensures all endpoint devices have a consistent install path.

1. To uninstall previous versions of BSP, specify the parameter value of “CLEANALL=YES” as

part of the msiexec command. For more information, see page 17 of the Bromium Secure

Platform 4.1 Update 8 Installation and Deployment Guide.

2. In-place upgrades to HP Sure Click Enterprise on devices are supported for the following

versions of Bromium Secure Platform:

o Bromium Secure Platform 4.1.6 or later

o HP Sure Click Advanced 4.1.8 Patch 1 or later

Attempts to install SCE 4.2 on endpoint devices with BSP versions older than 4.1.6 will result in

the installer exiting with the following error:

When performing an in-place upgrade of a BSP endpoint to SCE, the existing installation path will

be used. The default installation paths are as follows:

New installation of SCE – C:\Program Files\HP\Sure Click

Upgrade from BSP – C:\Program Files\Bromium\vSentry

For use with general public 13

Unchanged Paths

The following paths do not change regardless of upgrade method:

In the file system:

• %UserProfile%\AppData\Local\Bromium

• %UserProfile%\AppData\LocalLow\Bromium

In the registry:

• HKLM\SOFTWARE\Bromium

• HKCU\Software\Bromium

Note: The system environment variables %brs% and %brb% will remain the same with either

upgrade method and will resolve to the correct directory for the installation. Additionally, the

command line tool brmanage.exe is available and unchanged.

For use with general public 14

Installation with Microsoft Virtualization Based Security (VBS)

Upgrading to SCE 4.2 on a device running on Windows 10 1809 (RS5) or older with VBS enabled

will use the Bromium hypervisor (AX). Upgrading to SCE 4.2 on a device running on Windows 10

1903 (19H1) or newer with VBS enabled will use the Windows Hypervisor Platform (WHP).

The status of the devices can be checked in the Sure Controller from the Device details page

Properties tab. The following values are returned according to the configuration:

Windows Release WHP Running? Sure Controller Status

≤ Windows 10 1809 (RS5) False Not enabled

≤ Windows 10 1809 (RS5) True Not enabled 1

≥ Windows 10 1903 (19H1) False Not enabled

≥ Windows 10 1903 (19H1) True Enabled

1 Sure Controller will report “False” even when WHP is running as it is not used in this release.

Example Device Properties in the controller:

For use with general public 15

Deprecated Support for Software

The following table details the key features which are no longer supported on endpoint devices

beginning with HP Sure Click Enterprise 4.2.

Feature Recommendation for SCE 4.2

Adobe Acrobat Standard and Pro Install supported version of Adobe Acrobat Reader DC 1

Bromium Secure Browser 32-bit Upgrade to HP Secure Browser 64-bit

SBX for Firefox (32-bit) Upgrade Firefox to latest 64-bit version

SBX for Edge (legacy) Upgrade legacy Edge to new Edge (Chromium)

Microsoft Office 2010 Upgrade to Microsoft Office 2013 or later

Windows 7 and Windows 8.1 Upgrade to Windows 10 64-bit

1 Opening or editing of PDF documents in Adobe Acrobat Standard or Professional is no longer

supported. Acrobat Reader DC will continue to be supported. Electronic signature, highlighting

and other Adobe Reader DC features are still supported.

For a complete list of deprecated features, please refer to the Knowledge Base:

https://support.bromium.com/s/article/Deprecated-Features.

For use with general public 16

Browser Compatibility

Browser protection for Internet Explorer, Chrome, Firefox, and Edge is continued in SCE. There are

additional considerations for devices using Firefox and Edge browsers.

Firefox SBX

The Secure Browsing Extension (SBX) is only compatible with 64-bit versions of Firefox. HP

supports SBX on the latest ESR and non-ESR 64-bit versions of Firefox.

Microsoft Edge SBX

Limited support of Microsoft Edge (non-Chromium) was provided with BSP 4.1.x. Microsoft

recently replaced the Edge browser with a new version based on Chromium. Therefore, SCE 4.2

provides compatibility and support for SBX with Edge (Chromium). In SCE 4.2, SBX is not

compatible with the legacy Edge (non-Chromium) browser. Therefore, when planning to migrate

endpoint devices that use SBX for Edge from BSP to SCE, it is necessary to also upgrade Microsoft

Edge to Edge (Chromium) during the upgrade to ensure a seamless user experience. The high-

level steps are as follows:

1. Upgrade Bromium Controller to Sure Controller

2. Uninstall BSP with CLEANALL=YES parameter/value

3. Upgrade Edge to Edge (Chromium)

4. Install SCE 4.2

Note that, in most deployments, the Bromium Controller will be upgraded to Sure Controller days

or weeks prior to completing the upgrade of all endpoint devices to Sure Click Enterprise 4.2. As

noted in the images below, the policy setting for enabling SBX for Edge is different than the policy

setting for enabling SBX for Edge (Chromium). In order to ensure BSP 4.1.x endpoint devices with

SBX enabled for Edge continue to work as expected while connected to a Sure Controller, any

BSP policies with “Enable for Edge” set are automatically updated with an advanced parameter

“Enabled for Microsoft Edge Legacy” during the upgrade of Bromium Controller to Sure

Controller. This automatic update applies to both bespoke policies as well as the Bromium/HP

Supplied Policies (built-in).

The following images illustrate the difference in SBX for Edge policy settings before and after

upgrading the Controller from Bromium Controller to Sure Controller:

For use with general public 17

The following image illustrates a bespoke policy after upgrading Bromium Controller to Sure

Controller:

Exclusions

The continuous scanning of known trusted files by third-party security tools can cause

performance and stability issues with other products including Sure Click Enterprise. Exclusions

should be implemented to support Sure Click Enterprise. In general, these exclusions should be

implemented with all security products including but not limited to Symantec Endpoint

Protection, McAfee Virus Scan, McAfee HIPS, Digital Guardian, Trend Micro, and Windows

Defender. Please consult the Third-Party Software Interoperability Guide for the most current

recommendations.

Upgrade Considerations

Pre-existing exclusions implemented to support Bromium Secure Platform will need to be

amended due to changes in file paths and the deprecation of several executables.

For use with general public 18

The default installation paths are as follows:

• New installation – C:\Program Files\HP\Sure Click

• Upgrade from BSP – C:\Program Files\Bromium\vSentry

If performing in-place upgrades from BSP to SCE, both file paths will need to be accounted for as

it is likely that, over time, endpoint devices will be replaced or re-imaged and begin using the new

file paths.

Exclusions can be applied at a directory or file level depending on the third-party application

requirements.

File Exclusions – BSP and SCE

The following file exclusions can be implemented with both BSP and SCE:

ax_installer.exe Br-init-l.exe

BemAgent.exe Br-init-n.exe

bemk*.sys Br-init-o.exe

BemMan.exe Br-init-w.exe

BemReporter.exe BrInstallerPopup.exe

BemSession.exe BrLauncher.exe

BemSvc.exe BrLogMgr.exe

BrAxService.exe BrManage.exe

BrChrome.exe BrNav.exe

BrConsole.exe BrPrintHelper.exe

BrDesktopConsole.exe BrProgressDialog.exe

BrDownloadManager.exe BrRemoteManagement.exe

BrExeScanner.exe BrRemoteMgmtSvc.exe

BrExeScanner.exe BrService.exe

brfilter_* BrStatusMonitor.exe

BrGPUCheck.exe Br-uxendm.exe

Br-hostconfig.exe BrWinFile.exe

BrHostDrvSup.exe dpinst.exe

BrHostSvr.exe getcaps.exe

For use with general public 19

Br-init-a.exe uxenctx.exe

Br-init-b.exe HostPcapDump.exe uxenctl.exe

Br-init-c.exe uxendm.exe

File Exclusions BSP Only:

The following file exclusions can only be implemented with BSP and are not supported on SCE:

Autonomyhelper32.exe

Bemsup.exe

BrDeprivilege.exe

BrIEHelper64.exe

BrInstaller.exe

BrPolicy.exe

BrPreCheck.exe

BrReporter.exe

BrSecurityAlertInspector.exe

Bruxenctx.exe

vhd-util.exe

xenctx.exe

Directory Exclusions – BSP and SCE

The following directory exclusions can be implemented with both BSP and SCE:

%UserProfile%\AppData\Local\Bromium

%UserProfile%\AppData\LocalLow\Bromium

%ProgramData%\Bromium

%ProgramFiles%\HP\Sure Click

Directory Exclusions – BSP Only

The following directory exclusions can only be implemented with BSP and is not supported on

SCE:

%ProgramFiles%\Bromium

Firewall Exclusions

Windows Firewall – There are no differences between BSP and SCE; however, some changes for

Symantec (and other third-party applications) may be required.

Note: For more information about HP Sure Click Enterprise contact your local HP Inc. field

representative or visit https://www.hp.com/enterprisesecurity.