HP Sure Click Enterprise 4.2.8
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
For use with general public HP Sure Click Enterprise 4.2.8
Table of Contents
Notices ................................................................................................................... 2
Introduction ........................................................................................................... 3
Sure Click Enterprise Requirements......................................................................................... 4
Required Software for Installation ........................................................................................... 5
Additional Isolation Requirements ........................................................................................... 5
Supported Software .................................................................................................................... 5
Supported Languages ................................................................................................................ 9
Controller Requirements .................................................................................. 10
HP Sure Controller Requirements .......................................................................................... 10
Supported Browsers ................................................................................................................................................................. 10
SQL Database Requirements .................................................................................................. 11
What’s New in 4.2 .............................................................................................. 12
Bromium Acquisition by HP ..................................................................................................... 12
End of Sale (EOS) / End of Life (EOL) Updates...................................................................... 12
Sure Click Enterprise 4.2 Updates .......................................................................................... 13
Upgrade Guide ............................................................................................................................................................................ 13
Online Help ................................................................................................................................................................................... 13
Isolation Support for Google Chrome version 92......................................................................................................... 13
Updates to Application Support ........................................................................................................................................... 13
Secure Browser Extension (SBX) for Microsoft Edge Legacy .................................................................................... 13
Microsoft Windows Operating System Support............................................................................................................. 14
Initial installation....................................................................................................................................................................... 15
Performance Improvements ................................................................................................................................................. 15
HP Branding in Sure Click Enterprise 4.2 .......................................................................................................................... 16
Additional Branding updates in 4.2 .................................................................................................................................... 16
Feature Updates ................................................................................................ 17
Identity Protection ..................................................................................................................................................................... 17
All Devices Group ....................................................................................................................................................................... 18
Policy Settings ............................................................................................................................................................................. 18
HP Policy Sync ............................................................................................................................................................................. 19
Automatically Trust Office/Microsoft 365 or Google GSuite Documents............................................................ 19
Limitations .......................................................................................................... 20
General ........................................................................................................................................ 20
Web Browsing with Internet Explorer .................................................................................... 21
Web Browsing with Chrome .................................................................................................... 21
Web Browsing with Firefox ...................................................................................................... 21
Documents.................................................................................................................................. 21
Controller .................................................................................................................................... 22
iiIssues Fixed in 4.2.8 .......................................................................................... 23
Issues Fixed in 4.2.7 .......................................................................................... 24
Issues Fixed in 4.2.6 .......................................................................................... 25
Issues Fixed in 4.2.5 .......................................................................................... 26
Issues Fixed in 4.2.4 .......................................................................................... 27
Issues Fixed in 4.2.2 .......................................................................................... 28
Issues Fixed in 4.2.1 .......................................................................................... 29
HP Sure Click Enterprise End of Life (EOL) Dates ........................................... 30
Deprecated Features and Platforms ............................................................... 31
Getting Help........................................................................................................ 32
iiiNotices
Copyright © 2020, 2021 HP Development Company, L.P. The information contained herein is subject to change
without notice. The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
The software and accompanying written materials are protected by U.S. and International copyright law.
Unauthorized copying of the software, including software that has been modified, merged, or included with other
software, or other written material is expressly forbidden. This software is provided under the terms of a license
between HP and the recipient, and its use is subject to the terms of that license. Recipient may be held legally
responsible for any copyright infringement that is caused or incurred by recipient’s failure to abide by the terms of
the license agreement. US GOVERNMENT RIGHTS: Terms and Conditions Applicable to Federal Governmental End
Users. The software and documentation are “commercial items” as that term is defined at FAR 2.101. Please refer to
the license agreement between HP and the recipient for additional terms regarding U.S. Government Rights.
The software and services described in this manual may be protected by one or more U.S. and International patents.
DISCLAIMER: HP Inc., makes no representations or warranties with respect to the contents or use of this publication.
Further, HP Inc., reserves the right to revise this publication and to make changes in its contents at any time, without
obligation to notify any person or entity of such revisions or changes.
Intel® Virtualization Technology, Intel® Xeon® processor 5600 series, Intel® Xeon® processor E7 family, and the
Intel® Itanium® processor 9300 series are the property of Intel Corporation or its subsidiaries in the U.S. and/or other
countries.
Adobe and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the
United States and/or other countries.
All other trademarks, service marks, and trade names are the property of their respective owners. HP Inc., disclaims
any proprietary interest in the marks and names of others.
21st July 2021
2Introduction
The Release Notes cover the latest HP Sure Click Enterprise 4.2 product release, and subsequent updates, providing
information about new functionality and the requirements for Sure Click Enterprise.
3Sure Click Enterprise Requirements
Sure Click Enterprise requires the following hardware and software for this release:
Hardware orSoftware Description
CPU Intel Core i3, i5, i7 with Intel Virtualization Technology (Intel VT) and
Extended Page Tables (EPT) enabled in the system BIOS.
Single socket Intel XEON workstation class processors with a maximum of
32 logical processors (LCPU)
AMD processor with Rapid Virtualization Indexing (RVI). Sure Click
Enterprise supports most enterprise class AMD CPUs sold since 2011.
Supported models are the Ryzen range of CPUs, and models that are of
type A4/A6/A8/A10 (followed by a four-digit number in which the first digit
is not 3.) HP recommends quad-core AMD CPUs for optimal performance.
In VDI / nested virtualization environments, Sure Click Enterprise supports
Intel CPUs only.
Computers with vPro chipsets are highly recommended.
Memory Minimum: 8 GB RAM
It is recommended that you check the amount of available memory by
logging into a device after it has been powered on for a minimum of 30
minutes and before any applications have been launched. As a baseline,
HP recommends that a typical device have the following amount of
memory available before installing and enabling isolation:
Windows 10 64-bit with 1800 MB available memory prior to installation
Disk 6 GB free disk space
Operating System Microsoft Windows 10 versions are supported as documented in the HP
Sure Click Enterprise Windows 10 Support policy:
https://enterprisesecurity.hp.com/s/article/Product-Support-and-End-of-
Life-Policy-EOL
You must ensure that HP Sure Click Enterprise is upgraded to the latest
version prior to updating to a new version of Windows and you have
checked the latest version supports the version of the operating system
you are upgrading to.
The HP Sure Click Enterprise EOL policy can also be referenced here:
https://enterprisesecurity.hp.com/s/article/Bromium-Windows-10-
Support-Policy
Note: If you are using msiexec to install Sure Click Enterprise remotely, ensure you include the
SERVERURL setting, otherwise installation will fail.
4Required Software for Installation
• Microsoft .NET Framework 4.5 (minimum, this is normally built-in to Windows 10)
• Visual Basic for Applications (a shared feature in Microsoft Office installation for secure printing from Office)
• XPS Services must be enabled and the Microsoft XPS Document Writer must be present to use secure
printing
Additional Isolation Requirements
HP Sure Click Enterprise installation requires the following:
• Local administrator privileges (if installing on specific machines for evaluation)
• Active Directory administrator privileges (if installing in the enterprise for production use)
• A license provided by your HP Sales or Customer Support representative.
• To run isolation in a virtualized environment using:
o Minimum supported versions:
▪ Citrix Hypervisor 7.6
▪ VMWare ESX 6.0
o While customers can run HP Sure Click Enterprise on the minimum supported versions of the
above hypervisors, HP always recommends the latest versions of hypervisors as they generally
improve performance and stability.
Supported Software
Sure Click Secure Browsing Extension for Chrome (Chrome SBX) supports the latest Google-recommended version of
Google Chrome
Sure Click Secure Browsing Extension for Firefox (Firefox SBX) supports the latest Mozilla-recommended version of
Firefox (ESR or non-ESR, 64-bit only)
Sure Click Secure Browsing Extension for Edge (Edge SBX) supports the latest version of the Microsoft Edge
Chromium browser only
Sure Click Chrome Isolation is supported with an N-3 policy such that the current shipping version, and the 3 prior
versions of Chrome are Supported. Chrome support is detailed in the Sure Click Enterprise Support Knowledge Base:
https://enterprisesecurity.hp.com/s/article/Product-Support-and-End-of-Life-Policy-EOL
Click Firefox Isolation supports Mozilla Firefox ESR 60 (32-bit) release. HP is currently working on supporting newer
64-bit ESR releases. Support will be announced in a future version of Sure Click Enterprise
https://www.mozilla.org/en-US/firefox/organizations/
Note: Neither MS Edge or Google Chrome support the ability for extensions to automatically enable
access to the file:// type URL schema. In order to fully protect users from potentially harmful phishing
attacks using .html or .htm files as attachments, the “Allow access to file URLs" must be enabled in
the extension settings in the relevent browser. At this time, it cannot be automated due to security
restraints inside the browsers themselves. This setting will also allow the Secure Browsing eXtension
(SBX) to protect against malicious files, so it is recommended to be turned on.
5Microsoft Office 2013 Service Pack 1, MSI x64/x86: (End: 2023/04/11)
Standard, ProPlus
Microsoft Office 2013 Service Pack 1, Click-to-Run x64/x86: (End: 2021/04/11)
Standard, ProPlus, Home Business, Home Student, Personal, Professional, O365 ProPlus, O365 Business,
O365 Small Business Premium, O365 Home Premium
Microsoft Office 2016, MSI, x64/x86: (End: 2025/10/14)
Standard, ProPlus
Microsoft Office 2016, Click-to-Run, x64/x86: (End: 2025/10/14)
Standard, ProPlus, Home Business, Home Student, Personal, Professional, O365 ProPlus, O365 Business,
O365 Small Business Premium, O365 Home Premium
Microsoft Office 2019, Click-to-Run, x64/x86 (Office 365 / Microsoft 365): (End: 2025/10/14)
Standard, ProPlus, Home Business, Home Student, Personal, Professional, 365 ProPlus, 365 Business, 365
Small Business Premium, 365 Home Premium
Note: Microsoft Office shared computer activation licensing is supported; however, on some systems,
when opening an isolated Word document, users may temporarily see a banner stating Office has not
been activated.
• Microsoft Internet Explorer version 11
o Beginning January 12, 2016, only the most current version of Internet Explorer available for a
supported operating system receives technical support and security updates from Microsoft (see
https://support.microsoft.com/en-gb/help/17454/lifecycle-faq-internet-explorer)
o As such, versions of Internet Explorer earlier than 11 are no longer supported on Desktop
Operating Systems with HP Sure Click Enterprise 4.2.1 and later.
Due to the availability of new Edge and removal of Edge Legacy, Microsoft considers Internet Explorer 11 as feature
complete and no longer releases new features or bug fixes, only critical security fixes for this browser. Microsoft has
announced it is removing support for Internet Explorer 11 from Microsoft Teams and Microsoft Office 365 in 2021
and it is expected other tools and platforms will follow. HP has adopted the same position in its support of Internet
Explorer 11 isolation. In Sure Click Enterprise 4.2.x, Internet Explorer 11 is considered feature complete. While no
additional features will be added, critical security fixes will be released if required as part of our standard release
process.
o HP will be deprecating the support for IE11 in Sure Click Enterprise during 2021 based on latest
updates and guidance from Microsoft.
Note: If you configure enterprise mode using the EMIE site list, ensure you do the following:
If the EMIE site list is configured to be on a network path, that network path should be marked as
trusted. If the EMIE site list is hosted on a web URL, the TLD should be trusted.
Adobe Reader versions:
DC Classic 2017, 2020
DC Continuous: Latest Adobe Supported Release (32-bit and 64-bit)
Windows Media Player 12 (32-bit and 64-bit)
6Oracle Java 8 (32-bit)
Oracle VirtualBox
While Oracle VirtualBox claims to have nested-VT support, it is implemented in such a way as to be
incompatible with HP Sure Click Enterprise and thus running HP Sure Click Enterprise in a guest VM inside
VirtualBox is not supported.
HP Sure Click Enterprise can run alongside Oracle VirtualBox on the host, but only on Intel CPUs and only if
Microsoft Hyper-V is disabled.
Support for endpoints running Windows Hypervisor Platform (WHP / HyperV) and Virtualization-Based Security (VBS)
with the following configuration:
Windows Hypervisor Platform - WHP (on Windows 10 1903 and above)
Windows 10 64-bit with virtualization-based security (VBS) enabled
UEFI Secure Boot enabled
The Fast Startup power option in Windows must be disabled
Intel vPro 4th generation Core (i3/i5/i7) and newer or AMD Ryzen
Trusted Platform Module (TPM) is recommended
Support for non-vPro Intel chipsets
Note: Sure Click Enterprise previously required vPro chipsets supporting Intel VMCS Shadowing, a
feature that improves performance of hypervisors running nested virtual machines by reducing
nesting-induced VM exits. Bromium 4.1.4 introduced support for Intel-based chipsets without this
technology. Running Sure Click Enterprise without VMCS Shadowing will result in performance
degradations vs. vPro systems, however HP has taken steps to mitigate performance differentials to all
extents possible.
Limitations of support for non-vPro chipsets:
Hibernation / S4 capabilities are disabled and hidden on the host
7VDI deployments on:
VMWare Horizon View 7.x (last validated with version 7.3 with ESX 6.5)
Citrix Virtual Desktops 7.x (last validated with version 7.18 with Citrix Hypervisor 7.6)
Intel CPUs are fully supported when running the above hypervisors using nested virtualization (nested VT)
AMD CPUs running the above hypervisors are considered by HP to be in BETA support. HP has validated the
solution works at a functional level using AMD CPUs. HP is continuing to test this configuration and hopes to
fully support AMD CPUs and nested virtualization in a future release.
SINA WorkStation by Secunet Security Networks
Solution verified on SINA OS 3.3.9.5 on Windows 10 1809 LTSC guest
Solution verified on SINA OS 3.5.1.2 on Windows 10 1809 LTSC guest
Solution verified on SINA OS 3.5.1.4 on Windows 10 1809 LTSC guest
Windows Defender Credential Guard
McAfee DLP for Internet Explorer
Symantec DLP
Customers are encouraged to review HP Sure Click Enterprise KB system for the latest updates on 3rd party
support, whitelisting and exclusions
Configure Exclusions and Whitelisting for Third-Party Security Software (hp.com)
Important: Ensure you create appropriate exclusions in the configuration of installed endpoint security
products so as not to interfere with or prevent the normal operation of HP products. Necessary actions
may consist of excluding all HP Sure Click Enterprise processes and binaries from the third-party
endpoint security product. To create exclusions, refer to your third-party product documentation. The
absence of exclusions may result in failed Sure Click Enterprise initialization and slow or blocked
browsing and opening of isolated documents. Refer to the HP Sure Click Enterprise Installation and
Deployment Guide for information about creating exclusions.
8Supported Languages
HP Sure Click Enterprise endpoint software supports the following languages on the specified version of Windows:
English US (en-US), all supported versions of Windows
English UK (en-GB), all supported versions of Windows
French (fr-FR), all supported versions of Windows
French Canadian (fr-CA), all supported versions of Windows
German (de-DE), all supported versions of Windows
Spanish (es-ES), all supported versions of Windows
Swedish (sv-SE), all supported versions of Windows
Italian (it-IT), all supported versions of Windows
Brazilian Portuguese (pt-BR), all supported versions of Windows
Japanese (ja-JP). all supported versions of Windows
Note: HP Sure Click Enterprise supports all Windows locales.
9Controller Requirements
The following tables list the hardware and software requirements for the server running the controller and the SQL
database on which it relies.
Important: Before installing a new version of the HP Sure Controller, make sure to back up your current
database.
HP Sure Controller Requirements
Hardware or Software Description
CPU Sandy Bridge Intel Xeon Quad-core or better
Disk 1 TB free disk space
Network Port 443 on the web server must be available for the endpoints to
communicate to the controller.
Internet Controller is recommended to have https (port 443) access to the HP
Cloud Service in order to receive HP Rules File updates, as well as Threat
Intelligence Reports, Malware names and recent attack information. For
more information see
https://enterprisesecurity.hp.com/s/article/Bromium-Threat-Intelligence-
Cloud-Service for more information
Operating System Windows Server 2012 (End Date: 2023/10/10)
Windows Server 2012 R2 (End Date: 2023/10/10)
Windows Server 2016 (End Date: 2027/01/12)
Windows Server 2019 (End Date: 2029/01/09)
Memory 16 GB RAM
Software Microsoft IIS 7.5+ with CGI module, IIS Manager, static content, and
anonymous authentication installed
.NET 4 Extended (server)
SSL Valid SSL certificate trusted by endpoints
(For testing only, the server may be configured insecurely to run in HTTP
mode)
Supported Browsers
The Controller Web Interface is supported on the latest versions of Internet Explorer[1], Edge Chromium, Chrome,
and Firefox ESR.
10[1] – Support for Internet Explorer using HP Wolf Security Controller will be dropped in version 4.3 of the Controller.
SQL Database Requirements
Hardware or Software Description
Performance 200 IOPS sustained per 1000 endpoints
Software https://docs.microsoft.com/en-us/lifecycle/products/?products=sql-
server
SQL Server 2012 SP4+ (End Date: 2022/07/12)
SQL Server 2014 SP3+ (End Date: 2024/07/09)
SQL Server 2016 SP2+ (End Date: 2026/07/14)
SQL Server 2017+ (End Date: 2027/10/12)
SQL Server 2019+ (End Date: 2030/01/08)
Standard and Enterprise editions are supported
Server Management Studio (SSMS) as the management suite for the
controller database
SQL Express should be used in a limited test or evaluation environment
only
Storage Space 1 TB available space
11What’s New in 4.2
Bromium Acquisition by HP
After the acquisition of Bromium by HP in Q4 2019, the Bromium Secure Platform has ceased to exist after the 4.1
Update 8 release cycle completed on 31st March 2021. Bromium Secure Platform has been replaced by HP Sure Click
Enterprise, starting with the 4.2 release.
If you are still using Bromium Secure Platform after March 21 st 2021, please contact your HP account team, HP
Support, or consult the Sure Click Enterprise 4.2 Upgrade guide for the latest information on upgrading to the HP
Sure Click Enterprise platform.
End of Sale (EOS) / End of Life (EOL) Updates
Per HP Sure Click Enterprise EOL policy (https://enterprisesecurity.hp.com/s/article/Product-Support-and-End-of-
Life-Policy-EOL), EOL is the process of discontinuing sales, support and maintenance for a specific version of the
Product. EOS means that product can be used, but customers are expected to try to replicate any reported issue on
the latest version of the software. Any fixes released will be applicable to the latest version only and code fixes will
not be applied to any version that is already EOS or EOL. Code fixes and patches will only be released for the latest
GA versions.
Updates to the End of Life Policy triggered by the 4.2.8 release are show below:
• HP Sure Click Enterprise
o 4.2.4 : EOL 04 Sep 2021
o 4.2.5 : EOL 30 Oct 2021
• Bromium Secure Platform 4.1 Update 8
o HP Sure Click Enterprise 4.2.x replaces Bromium Secure Platform
o EOL: 31 Mar 2021
12Sure Click Enterprise 4.2 Updates
Upgrade Guide
With Sure Click Enterprise 4.2, a separate upgrade guide is available for all customers and partners. This document
details considerations in upgrading from Bromium Secure Platform to HP Sure Click Enterprise. This is available on
the Product Documentation site.
While the architectural changes are minimal, changes to some advanced configuration options may affect your
existing deployment and configuration if used with Sure Click Enterprise 4.2 without change.
This guide lists everything you need to know regarding the upgrade, and is available in the Product Documentation
section of our customer portal. If you require additional support in planning your upgrade, please contact your
technical representative or HP Sure Click Enterprise Support for additional information and assistance.
Online Help
The Online Help system has been updated and edited for the latest Sure Click Enterprise and Sure Controller
information for 4.2, you can find more about this help system here:
https://documentation.bromium.com/4_2
Isolation Support for Google Chrome version 92
HP Sure Click Enterprise 4.2.8 supports Google Chrome version 92 when using the HP Secure Browser.
CVEs fixed in HP Secure Browser using Chromium 92
CVE-2021-37971, CVE-2021-37958, CVE-2021-37973, CVE-2021-37975, CVE-2021-37976, CVE-2021-37986,
CVE-2021-38003
Updates to Application Support
Adobe Flash (all versions) is no longer supported as it is now EOL
See: Adobe Flash Player End of Life
Secure Browser Extension (SBX) for Microsoft Edge Legacy
Microsoft have stopped all development on their own Edge Legacy architecture and have based the new Edge
(released in early 2020) on the Google Chromium framework. This new Edge was introduced in the first quarter of
2020.
https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-
more-open-source-collaboration
What this means for customers:
Edge Legacy is no longer supported by the Secure Browsing Extension and was removed in 4.2.2
You can read more about Edge support on the knowledgebase here:
https://enterprisesecurity.hp.com/s/article/Bromium-Secure-Browser-Extension-SBX-for-
Microsoft-Edge
13Microsoft Windows Operating System Support
HP regularly updates which operating system versions are supported based on the latest information from
Microsoft: https://docs.microsoft.com/en-gb/windows/release-information/
The overall HP Sure Click Enterprise Windows 10 support policy:
https://enterprisesecurity.hp.com/s/article/Bromium-Windows-10-Support-Policy
Updates in this 4.2.8 Release:
Supported:
Windows 10 (Threshold 1) Version 1507 (OS Build 10240) (LTSC ONLY)
Windows 10 (Redstone 1) Version 1607 (OS Build 14393) (LTSC ONLY)
Windows 10 (Redstone 5) Version 1809 (OS Build 17763)
Windows 10 (19H2) Version 1909 (OS Build 18363)
Windows 10 (20H1) Version 2004 (OS Build 19041)
Windows 10 Version 20H2 (OS Build 19042)
Windows 10 Version 21H1 (OS Build 19043)
Windwos 10 Version 21H2 (OS Build 19044)
No longer supported:
Windows 7 (x86 & x64)
Windows 8.1 (x86 & x64)
Windows 10 (Threshold 2) Version 1511 (OS build 10586)
Windows 10 (Redstone 2) Version 1703 (OS build 15063)
Windows 10 (Redstone 3) Version 1709 (OS build 16299)
Windows 10 (Redstone 4) Version 1803 (OS build 17134)
Windows 10 (19H1) Version 1903 (OS Build 18362)
14Initial installation
By default, the initial installation of the endpoint software will result in the software being disabled and
unconfigured. As a result, the endpoint must connect to an HP Sure Controller to receive its configuration and license
which may happen during installation (at the prompt or using msiexec parameters) or post-installation using the
“brmanage” command: “brmanage management-server ”.
Until the endpoint receives a license, the software will remain in a disabled state. Once the endpoint has been
correctly configured to communicate with an HP Sure Controller, it will receive a license and initial configuration via
policy. At this point, the endpoint software will initialize and will then be available for use (unless marked explicitly as
disabled).
This allows the administration team to roll out the endpoint software onto all endpoints in a benign state. The
administrator is then able to move devices into Device Groups to receive their license and configuration. This allows
an admin to see the entire endpoint estate with enabled/disabled devices in one simple view. This allows customers
to complete a single rollout, but phased enablement of software as all disabled devices will appear in the Controller.
Performance Improvements
HP Sure Click Enterprise 4.2 includes some significant additional performance and efficiency improvements over
previous releases to reduce the impact on the base system as well as providing an improved user experience.
Performance improvements to the intialisation process to allow the initialised vm to “settle” better, thus improving
post initialisation launch times.
Improved logic to decided when a template has reached peak settling in order to improve post template
performance.
Better memory management and use of memory on endpoints which have more RAM available.
uVMs will load more quickly on all platforms but particularly on machines running WHP.
Secure Browsing performance has generally been improved.
Initialisation may take significantly longer on some machines. This is the result of additional steps being taken during
initialisation to improve the performance of uVMs.
o Improved user responsiveness when switching between multiple untrusted applications
o Reduced user disruption when loading all types of untrusted applications into uVM
o Faster loading of all types of untrusted applications when introspection is enabled on some
machines
o Reduced impact on host processes when accessing 1000s of directories. Ensure audio from a uVM
is automatically resumed after being paused due to low memory conditions.
15HP Branding in Sure Click Enterprise 4.2
Since acquisition by HP Inc., the Bromium Secure Platform has been rebranded to HP Sure Click Enterprise. As part of
the HP Sure family of security features, this also means the Controller has now been renamed to HP Sure Controller.
Both the HP Sure Controller and the endpoint software have been rebranded. This affects Sure Controller, and all
endpoint software user interfaces such as the Desktop Console. Specifically, the orange icon used to differentiate
untrusted documents from trusted ones, this is now a blue HP logo.
Additional Branding updates in 4.2
With the release of 4.2.2, customers will see some user focused changes in the branding of Sure Click Enterprise.
Sure Click Enterprise falls under a new HP Wolf Security branding, which has been updated in this release.
Places you will see branding updates:
Desktop Console title bar
Desktop Console Support Page
Windows Start Menu
System tray icon:
All other areas of the product menu items, right click context menus and controller ui remains unchanged in this
release.
16Feature Updates
Identity Protection
HP Sure Click 4.2 includes a new anti-phishing feature which allows customers to provide better protection from
phishing attacks when using Sure Click Enterprise. This feature is enabled using the policy configuration UI in the
Sure Controller in the new “Identity Protection” tab.
Once enabled, the product will install a new browsing extension into the supported browsers:
HP Secure Browser
Microsoft Edge Chromium
Google Chrome
*Firefox is NOT supported in the initial release, but will be in an upcoming version.
The anti-phishing feature uses live information from the HP Cloud to make instant decisions on the reputation of
sites while a user is browsing. If a user attempts to login to a known phishing site, they will be blocked and an alert
sent to the Sure Controller. If the site has a good reputation, the user is not impacted and is allowed to login with no
alerts being issued. If a user tries to login to a unknown site then the administration team can decide what happens
and whether the user is allowed to login etc.
For more information on the feature, user experience and how to triage the identity protection alerts, please review
the feature information in the new Sure Click Enterprise Online Help system: Identity Protection Overview.
As with isolation threats, when you have opted in to forwarding the alerts to the HP Cloud, HP will automatically
triage these alerts based on the latest available information using a variety of 3 rd party services and proprietary
information. As the internet is continually changing on a minute by minute basis, we highly recommend using this
service to keep the sites triaged appropriately.
While customers can triage the lists of allowed and blocked sites manually using this feature, they can quickly get
out of date and not represent the current state of the internet and reputation of some pages. To provide the best
user experience, we recommend opting into the threat forwarding and automatic triaging service provided as part of
the Sure Click Enterprise product line. Please contact your technical account team if you wish to learn more about
this feature and its use of the HP Cloud Service.
Even if you decide not to use the HP Cloud Service for the automatic triage of the identity protection alerts, the
Identity Protection extension will connect to the cloud service to obtain the reputation information for a website to
make an up to date decision to help protect the user from phishing sites. If you do not want the extension to query
the HP Cloud Service, we do not recommend enabling this feature.
Note: Neither MS Edge or Google Chrome support the ability for extensions to automatically enable
access to the file:// type URL schema. In order to fully protect users from potentially harmful phishing
attacks using .html or .htm files as attachments, the “Allow access to file URLs" must be enabled in
the extension settings in the relevent browser. At this time, it cannot be automated due to security
restraints inside the browsers themselves. This setting will also allow the Secure Browsing eXtension
(SBX) to protect against malicious files, so it is recommended to be turned on.
17All Devices Group
In Sure Click Enterprise 4.2, the “ungrouped” device group mechanism is deprecated.
In previous versions, the ungrouped device group would automatically contain devices not pulled into other groups
either manually or when using the automatic device grouping rules, thus allowing you to apply isolation and policy
configuration to endpoints, even if they were not specifically grouped.
4.2 introduces a new “All Devices Group” which contains ALL devices, irrespective as to other group memberships.
This group will automatically contain ALL devices and is perfect for apply a base configuration policy to capture new
devices. This allows for additional device groups to use delta policies when specific changes in policy are required
and allows for a simpler configuration.
You will be given an option to remove the “ungrouped” group from the UI when it no longer has any policies applied
to it. Those devices in the ungrouped group, will already be in the new “All devices group”.
No policies will be automatically applied to the all devices group on upgrade.
Policy Settings
The policy UI now contains badges showing you how many settings are active for a given policy tab making it easier
to drill into specific tabs to identify and change settings as required.
18HP Policy Sync
If you have enabled HP Cloud Services in your controller settings in order to benefit from automatic threat triaging
and BRF updates to the introspection engine, then you will now also benefit from automatic policy sync.
The Sure Controller comes with some built in policies to help customers get configured easily and quickly with
features and security recommendations. These used to be updated every product release to make sure they kept
pace with the ever-changing security landscape. With Sure Controller 4.2, we have introduced a way to keep these
built-in policies up to date without requiring a customer to upgrade the controller. These policies will automatically
be kept up to date with the HP Cloud Service, thus providing the latest security recommendations and configurations
direct to a customer’s Sure Controller.
The status of the cloud sync can be seen on the policy page:
Automatically Trust Office/Microsoft 365 or Google GSuite Documents
In addition to the new policy sync feature described above, HP have provided two additional built-in policies with Sure
Controller 4.2:
Trust Microsoft Office 365
Trust Google G Suite
These policies, when selected will allow customers to automatically trust downloads and documents from Office or
GSuite deployments, thus removing some user friction. Both Microsoft and Google regularly change, add to, or
update the URLs used in these products, so keeping up to date can be challenging. These policies will be kept up to
date for you, using the cloud sync feature. When either company changes the URLs for their products, your policy
will automatically be kept in sync with the latest edits. These policies should be applied with care, please contact
your support or professional services contact if you wish to use.
19Limitations
General
• Excel 2019 files shared using ‘Send as PDF’ file sends the email with a text file attachment instead of a PDF
• Applications opened in isolation (that is, in a micro-VM) are not available to assistive technology such as
JAWS and ZoomText Magnifier/Reader
• Do not install Sure Click Enterprise software from a removable drive, such as a USB drive. Removable drives
are not trusted by default and, when the initialization stage occurs, the installer will fail because it can no
longer read the data on the removable drive
• On some systems, the isolation Desktop Console and Live View user interfaces can take over 30 seconds to
open. If you experience slow display times on a system running Windows Presentation Foundation, open
the Services management window and disable Windows Presentation Foundation Font Cache 3.0.0.0. You
can also purge the font cache as described in http://support.microsoft.com/kb/937135
• If you are using RDP to access a physical system, you may not be able to interact with the Sure Click
Enterprise Desktop Console, Download Manager or Live View because they are "transparent." To resolve this
issue, install .NET 4.0 on the endpoint
• Some online meeting websites such as WebEx, Adobe Connect Pro and Live Meeting may not work when
opened in isolation. This is because these websites attempt to run executable content on the desktop that
is blocked by isolation. To allow these websites to work, mark them as trusted
• Saving to and opening from the cloud is not supported for Office 2013/ 2016 / O365
• If isolation is not already initialized on the system, users that have roaming profiles will see initialization
occur the first time they log in to the system
• To install Symantec Endpoint Protection after Sure Click Enterprise, restart the machine first
• Temporary trust operation will not trust sites that use “guce-advertising.com” redirect capabilities. The
redirects used by this advertising network break lots of web and software workflows. HP is working to
resolve this, but it is a workflow introduced by Verizon Media on most of their web properties.
https://www.verizonmedia.com/policies/ie/en/verizonmedia/privacy/topics/adserving/index.html
• Older versions of Microsoft Office/365 which support Japanese might sometimes show an office licensing
error. This has been seen with older versions (ie, 16.0.12527.20880) but has not been seen on newer
versions.(ie, 16.0.13127.21336).
First recommendation is to make sure Office/365 is completely up to date. If the warning remains,
customers are requested to raise a ticket with HP Support who are aware of the issue and can offer a
workaround for some situtations
20Web Browsing with Internet Explorer
• On Windows 10, Internet Explorer is not automatically set to the default browser, even when
Browser.CheckDefaultBrowser is set to 1. To avoid this issue, configure your file
associations using group policy. Refer to https://technet.microsoft.com/en-us/library/mt269907.aspx and
https://technet.microsoft.com/en-us/library/hh825038.aspx?f=255&MSPPError=-2147217396 for more
information about configuring group policy for default browsers
• Isolated websites are not permitted to run ActiveX controls. If a website does not work due to an ActiveX
error and the site is known to be trustworthy, it can be added to the trusted websites list so that it will be
run on the local system without isolation
• Site pinning is not supported
• Some Internet Explorer settings cannot be modified. If a setting is unavailable, a message is displayed to
the user
• Isolated websites that use a custom file download or upload manager may not work. If the
download/upload manager on a website fails and the site is known to be trustworthy, it can be added to the
trusted websites list so that it will be run on the local system without isolation. Refer to the HP Sure Click
Enterprise Installation and Deployment Guide for details
• Isolation does not support TabProcGrowth settings in Internet Explorer
• Browsing with isolation does not work if Internet Explorer security settings are set to High or if file
downloads are disabled
• Browser.IEAltDownloadAddresses was deprecated in version 4.1.7. If this is set to a list of domains, this is
unsupported and should be removed so the product can use its defaults.
• SBX doesn't see navigations to sites which are configured to open in IE mode in Edge Chromium and so
won't block any navigations to these sites and may not block navigations from these sites. Also the right
click "Open in Secure Browser" option doesn't work. This is a limitation of extension support in Edge for IE
mode tabs and not an SCE limitation.
Web Browsing with Chrome
• Skype extension is not supported
Web Browsing with Firefox
• If Firefox is already installed on endpoints and has not been launched prior to installing Sure Click
Enterprise, you must do the following to ensure browser sessions are isolated in a micro-VM:
o Launch Firefox to create a new profile for the user. If you have multiple users or if you create new
users, you must launch Firefox for each new or additional user
o Close Firefox and restart Sure Click Enterprise
o You can now launch Firefox in an isolated micro-VM
• These steps also need to be performed if you create more than one Firefox profile per user
Documents
• Isolation prevents users from opening any isolated files that cannot be opened by one of the supported
applications. If a downloaded file is not currently supported but is known to be trustworthy, right-click the
file and select the “Remove Protection” file menu option
Note: This operation may require administrative access.
21• Sure Click Enterprise isolates documents from accessing corporate resources or files stored on the desktop
or intranet. As a result, if a document open in isolation attempts to connect to a database on the intranet or
a linked file on the desktop, it will fail and produce an error. To enable this functionality, you must remove
Sure Click Enterprise protection from the document
• ASX video files and Windows Update Standalone Installer (MSU) files cannot be opened in micro-VMs
• Isolation does not support multiple, simultaneous Microsoft Office installations of the same version
• Users may receive an error when opening an isolated file with paths containing more than 214 characters
Controller
• The controller continues to display last known device health status even when the device has not been
recently reconnected.
22Issues Fixed in 4.2.8
Issue ID Description
68100 Capped the macros dialog in powerpoint when isolated in a uVM
65865 Resolved an issue where office would appear to be unlicensed when using a CTR
sku
66686 Resolved a bug where adding a signature image in Adobe Fill and Sign was not
working in the German language
65610 Resolved a bug where untrusted image files were not able to be injected into a
word document
67390 Resolved an issue where shared office licensing wasn’t being used properly in
the uVM
65948 Fixed an issue where an untrusted file was not escaped when drag-and-dropped
into an application
61617 Fixed an issue that stopped both trusted and untrusted documents being
attached to the same email
67841 Fixed an issue where word might pop up the repair document dialog in error.
67482 Resolved an issue where powershell was unable to copy a file due to a change in
the OS API
62672 Fixed a unique issue where Windows could go into recovery mode after
upgrading from 4.1.8 of Bromium Secure Platform to 4.2.1 of Sure Click
Enterprise
66929 Resolved a rare issue seen in 4.2.6 where windows could hang due to a failed
initialisation of a driver
23Issues Fixed in 4.2.7
Issue ID Description
67034 Resolved an issue with a previous Windows 10 21H1 AppPack that could result
in a uVM guest language being Arabic.
65948 Fixed a regression where untrusted files are not escaped when drag-and-
dropped onto an application
65673 Resolved an issue where Adobe signing an untrusted PDF was unable to find the
certificate if the ‘Key Usage’ field was blank, and the ‘Enhanced Key Usage’ field
was set to ‘Code Signing’.
63202 Improved CPU corralling to make the platform more resilient when running on
specific configurations with Rapid Storage Technology configured.
24Issues Fixed in 4.2.6
Issue ID Description
60801 / 61137 Fixed an issue where creating a standby-VM could be delayed by copying files
required to allow PDF signing.
61228 Performance improvement to reduce the time taken when waiting for a newly
created vm template to settle down.
65053 / 65322 / Resolved an internal issue which could stop a user from removing protection on
61658 a specific file when it responded with an incorrect ID
64695 / 65246 Resolved an issue which could cause an XCOPY operation to fail in certain
circumstances
65028 Fixed a bug where a report that Sure Click had not been added to Windows
Defender exclusion list could be sent in error
65033 / 63743 Various fixes and improvements to Microsoft Office/365 initialisation and
licensing warnings
65654 Resolved in an incompatibility with a Microsoft KB released out of band from
normal release cycles
25Issues Fixed in 4.2.5
Issue ID Description
63052 Resolved an issue which could lead to Chromium default search engine changing
to Bing from Google.
61924 Fixed an initialisation issue seen on some specific models of workstation
61915 Fixed an issue which could lead to some office applications appearing to be
unlicnsed and not intiialised into the template
64954 Resolved an initialisation issue where a recent Microsoft update to Redstone 1
(14393) LTSC release wouldn’t initialise.
65189 Resolved a problem where builds were unable to be pushed out from the
Controller using the “Remote Install” command due to an expired certificate.
26Issues Fixed in 4.2.4
Issue ID Description
37326 Improvements to the responsiveness inside a uVM by increasing available
memory to the uVM by default
42202 Fixed an issue where printing an untrusted document might come out at the
incorrect size
45033 Secure Browsing Extension (SBX) now supports IP ranges when “trust intranet” is
selected
46543 HP SCE WMI provider sometimes didn’t register properly on a silent install.
58513 Fixed an issue where email attachments could become untrusted depending on
workflow
61868 Significant performance improvements for isolated applications using uVM. This
does increase initialisation time on some platforms.
62083 Added “Remove Protection” when sharing an untrusted document in Office
sharing feature
62673 Resolved an issue where an GPO could conflict with SBX when
“ExtensionInstallForceList” regkey was used
66317 Resolved an issue where IE was put into the template but didn’t have
connectivity to an external proxy
66318 Fixed an issue where java registry was unable to be exported after an upgrade
63426 Resolved a situtation where some email attachments saved to network shares
were not alwways trusted
64252 Resolved an issue with initialisation and IE11 where Flash had been included but
was EOL.
27Issues Fixed in 4.2.2
Issue ID Description
9376 Supported office applications can fail to resize if cursor is not outside window
17820 Added ability to delete unused AD connections on the controller
42285 Resolved issue with DVD burning from restricted paths
54262 Default controller view updated to 100 lines
59274 Removed excessive event logs due to Windows defender and untrusted
documents in recycling bin
60766 Resolved application launch issues with thousands of items in the recycling bin
61176 Resolve issue where untrusted doc was unable to be closed in certain situations
61217 Resolved problem where controller health stats were not being updated
61241 Fixed issue where document comparisons on DFS shares wouldn’t work
61416 Resolved an issue when a customer sets ExtensionInstallForcelist registry key
61619 Fixed a PDF opening issue with certain user privs on a DFS share
61925 Resolved an issue where office exports can fail due to Registry API
62817 Removed old Bromium branding on controller management actions when only
Sure Click Enterprise is used.
62966 Resolved an issue while opening a PPTX file in specific resource constrained
environments
28Issues Fixed in 4.2.1
Issue ID Description
36926 SCE didn’t allow presenter view in .PPTX files
53104 Sure controller would show 403 errors when deleting large numbers of events
55752 SCE could break office automation in some testing tools
56844 SCE could crash when a specific document contains mixed languages
56992 Right click context menu could show incorrect information
57210 Untrusted PDF files could be handed over to host Adobe application
57317 Modification of conditional formatting rule in untrusted documents
57423 Default spell check language could change in PowerPoint
57514 Untrusting an office document could take longer than required
57851 SCE could crash when printing with comments enabled on an untrusted document
58187 High severity events could arrive with no indicators in specific situations
58302 SCE timeout when additional forensics were enabled
58810 Specific office update could lead to office updates crashing
58882 User initialization blocked and failed on a specific configuration / machine
58937 Corrupted VDI guest WMI settings could cause initialization failures
59015 Webex downloads were untrusted in Chrome
59212 File not escaped due to policy precedence
59275 Webpage slow to start up in some circumstances on customer network
59787 SBX could affect SSO with URL writing
60283 BRF sync could be disabled for on-prem Sure Controller customers
60403 Browser links could be modified by SBX
Release notes are available from https://enterprisesecurity.hp.com/s/documentation/
29HP Sure Click Enterprise End of Life (EOL) Dates
Versions are classified as follows:
• Major Version [DOT] Minor Version [DOT] Update version. (e.g. 4.2.8)
Product Support Policy
• The latest update of the current Major Version of the Product is Supported.
Product Name Release Date EOS Date EOL Date Status
HP Sure Click Enterprise 4.2.8 17 Nov 2021 GA / Current
HP Sure Click Enterprise 4.2.7 21 Jul 2021 17 Apr 2022 17 Sep 2022 EOS
HP Sure Click Enterprise 4.2.6 28 Apr 2021 21Jul 2021 21 Jan 2022 EOS
HP Sure Click Enterprise 4.2.5 04 Mar 2021 28 Apr 2021 04 Oct 2021 EOL
HP Sure Click Enterprise 4.2.4 21 Jan 2021 04 Mar 2021 04 Sep 2021 EOL
HP Sure Click Enterprise 4.2.3 20 Dec 2021 21 Jan 2021 21 Jul 2021 EOL
HP Sure Click Enterprise 4.2.2 12 Nov 2020 21 Jan 2021 21 Jul 2021 EOL
HP Sure Click Enterprise 4.2.1 28 Aug 2020 05 Nov 2020 05 May 2021 EOL
Bromium Secure Platform v4.1 02 Jun 2020 08 Nov 2020 31 Mar 2021 EOL
Update 8 Patch 5
Bromium Secure Platform v4.1 Bromium Secure Platform
Update 7 and earlier 4.1 Update 7 and earlier versions are all End of Life
All vSentry releases 4.0 and Bromium vSentry
earlier 4.0 and earlier versions are all End of Life
Full Product Support and End of Life Policy (EOL):
https://enterprisesecurity.hp.com/s/article/Product-Support-and-End-of-Life-Policy-EOL
30Deprecated Features and Platforms
We are deprecating older platforms and features from the latest versions of the Bromium Secure Platform and HP
Sure Click Enterprise. Customers should read the KB article that explains the platforms and features being
deprecated and the timeframes/versions in scope.
Specific examples of removed platforms are Microsoft Windows 7 and all x86 platforms.
The latest information regarding deprecated features and platforms:
https://enterprisesecurity.hp.com/s/article/Deprecated-Features
31Getting Help
If you have questions that are not covered in the documentation, please contact HP Support:
• Visit https://enterprisesecurity.hp.com. If you need an account, please contact your Account Executive or
Customer Support.
• Email questions to support@bromium.com
• Call HP / Bromium Customer Support at 1-800-518-0845
• Call your technical account representative directly
32You can also read
