Through the HP Workforce Experience (WxP) platform, organizations can rapidly deploy SurePath AI configurations to their entire fleet for immediate visibility and governance of human, app, and agent usage of AI.
​
This document covers the steps to distribute the proxy configuration and root CA certificate via HP WxP, through the SurePath AI provided PowerShell script.

SurePath AI distributes its proxy information via a Proxy Auto-Config (PAC) file. This PAC file contains all the information needed to direct only generative AI traffic to the SurePath AI proxy service while sending other traffic via their normal route.

The use of a PAC file also allows SurePath AI to update the list of generative AI domains. Most operating systems and browsers will request the PAC file every 1-2 hours and if a new file can't be retrieved the current one will continue to be used.

Just like other network security and SASE vendors, certificate trust allows SurePath AI to intercept and apply policy to connections to generative AI websites. The SurePath AI root CA certificate needs to be trusted by all devices that need to be governed by SurePath AI.

WxP Remediation scripts will be configured to execute the SurePath AI provided PowerShell deployment script. The script may be configured prior to upload to WxP to meet your organizational needs, as defined below.

The following items are needed before deploying SurePath AI through WxP:

The PowerShell deployment script provides a flexible and automated way to configure proxy settings on Windows devices. To download the script:

The PowerShell deployment script provides the most flexible and streamlined approach for deploying SurePath AI proxy configurations to Windows devices through HP WxP. This method is recommended for most deployments because it simplifies configuration management, supports both single-user and shared device scenarios, enables email-based user identification for improved reporting, and allows for easier updates to proxy settings compared to managing multiple individual Group Policy settings.

The PowerShell script offers several advantages over manual Group Policy configuration:

When deploying PowerShell scripts through WxP, admins need to understand how the 'Run as' execution context for remediation scripts work:

System scripts execute under the system context. These scripts run with Local System privileges and can modify machine-wide settings in HKLM registry, install certificates to the Local Machine store, and make system-level changes. Use Computer Configuration startup scripts for single-user device deployments and for machine setup in shared device scenarios.

Logged on User scripts execute run under that user's credentials. These scripts can modify user-specific settings in HKCU registry but have limited privileges. Use User Configuration logon scripts for deploying user-specific configurations in shared device scenarios.

The SurePath AI deployment script must run in 64-bit PowerShell on 64-bit Windows systems. When adding scripts to Group Policy, always use the full path to 64-bit PowerShell: %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe. This ensures proper script execution and compatibility with modern Windows environments. Only use the 32-bit path (%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe) if deploying to 32-bit Windows systems, which are rare in enterprise environments.

For devices where only one user regularly signs in, the PowerShell script can be configured to deploy a complete system-wide configuration through a Computer Configuration startup script. This approach is ideal for personal work devices, dedicated workstations, or scenarios where each device is assigned to a specific user. Since there is only one user per device, the script can run with Local System privileges to install the certificate, configure the PAC URL, and apply security policies all at once.

Within the Script Assignment, click on the Activity tab at the top. You can view Scheduled Script executions and status here to ensure your deployment is executing as desired.

After successful execution through WxP, you can validate the SurePath AI configuration on a device as detailed here.

For devices where multiple users sign in, such as shared workstations, kiosks, or terminal servers, the deployment requires a two-step approach. The first step installs the root CA certificate and configures security policies at the machine level, while the second step deploys user-specific proxy settings when each user signs in.

The system script setup configures components that apply to all users on the device:

Admins can perform this step by configuring the PowerShell script with the -NoProxy flag deployed via WxP Remediation scripts executed at the System context.

To configure the script for machine setup:

Deploy this version of the script through WxP Remediation Scripts using System as the 'Run as' context.

After the system is set up, each user who signs in needs their own proxy configuration. This step deploys the PAC URL with user-specific identifiers (GUID by default, or optionally email addresses) to each user's registry (HKCU) using User Configuration logon scripts, enabling SurePath AI to track activity by individual users rather than just by device.

To configure the script with default GUID-based identification:

Deploy this version of the script through WxP Remedation Scripts using Logged on User as the 'Run as' context.

Admins can enable email-based identification, which eliminates the need for users to authenticate when accessing AI services. The script will detect each user's email address from multiple identity sources (including Entra ID, Outlook, Office, Intune, Active Directory, and others) and include it in the PAC URL. If email detection fails for a particular user, the script automatically falls back to GUID.

To enable email-based identification, use:

When configured with the -Email flag, the script attempts to detect the user's email address from multiple sources including Active Directory, Entra ID Registry, and user environment variables. The first successfully detected email address is included in the PAC URL.

Before deploying the script through Group Policy, admins can optionally configure the argumentOverride variable to specify the deployment parameters.

By default, the script includes a unique GUID identifier in the PAC URL for user identification. This approach is recommended because it works reliably in all environments without requiring email address detection, which can vary in availability across different identity configurations. The GUID provides consistent user tracking in SurePath AI's User Activity logs and enables user-specific policy application.

To use the default GUID-based identification, leave the argumentOverride variable empty or do not modify the script:

The script will automatically:

Alternatively, admins can configure the script to detect and use the user's email address for identification. Email-based identification eliminates the need for users to authenticate when accessing GenAI services through SurePath AI, as the platform can automatically identify users based on their email address passed in the PAC URL. However, this approach depends on the availability of email information from identity sources (Active Directory, Entra ID, or user environment variables).

To enable email-based identification:

With this configuration, the script attempts to detect the user's email address from multiple sources in this order:

If email detection fails, the script automatically falls back to using a GUID identifier. Organizations that require email-based identification without fallback can add the -NoGUID flag (e.g., $argumentOverride = "-Email -NoGUID"), though this causes deployment to fail if email cannot be detected.

After completing the deployment, verify that the endpoint is properly integrated using the SurePath AI Ready tool.