What is Windows Protected Print Mode?
Windows Protected Print Mode (WPP) is a security-enhanced printing platform for Windows that runs with lower privileges and uses Internet Printing Protocol (IPP) to eliminate the need for third-party drivers. Together, these remove significant security risks that can lead to attackers gaining SYSTEM-level access.
Whether you’re an IT manager, security professional, or business owner, understanding the impact and benefits of WPP is essential as it changes the landscape of print infrastructure. This page provides a comprehensive overview of WPP, its timeline, and how your organization can prepare for and benefit from this powerful security feature.
Why Microsoft is introducing Windows Protected Print Mode
According to Microsoft , 9% of Windows security issues reported to the Microsoft Security Response Center (MSRC) were caused by print stack-related issues. The fact that the spooler runs with system privileges and has to load code over the network makes the entire operating system vulnerable to malware.
Print Nightmare allowed hackers to exploit this vulnerability to install programs remotely, view and delete data or even create new user accounts with full user rights. Another spooler-related weakness was exploited by the Stuxnet virus, which was used as a digital weapon to gain remote access to the computers that controlled centrifuges at an Iranian uranium enrichment plant. This allowed the attackers to configure the fast-spinning centrifuges to tear themselves apart.
Print Nightmare patches are a temporary workaround that now requires admin rights to install printers. The admin rights requirement only protects a shared computer, where one user might have installed a printer driver with malware that would compromise others on the computer too. This change doesn’t fix the spooler privilege issue that is exploitable by a driver with malware, and it introduces user experience issues by forcing admin privileges just to install printers.
The proper solution is Windows Protected Print Mode, as it removes the fundamental flaw of drivers and moves the world of printers forward to finally settle on the IPP standard. At PaperCut, we support Microsoft’s decision, even though it will cause some adoption friction.
As an aside, Windows isn’t the only operating system plagued by a vulnerable print platform. CUPS, used in Linux, macOS, and ChromeOS, also has a long history of security issues. In September 2024, new reports showed how it is possible to remotely execute code on a Linux computer without requiring authentication. Some Linux distributions, like Ubuntu, are planning to limit access to the rest of the operating system by moving CUPS into a containerised Snap App.
How Windows Protected Print Mode works
WPP uses modern standards and secure communication methods to ensure a robust and consistent printing experience. Here are some of the key details.
- Printer and job delivery is based on Internet Printing Protocol (IPP)
- WPP uses IPP as the core transport protocol - a well-established, open standard that provides a framework for printer discovery, job submission, and status tracking.
- IPP allows WPP to support advanced features such as finishing options, job status updates, and access control, enabling a richer printing experience.
- The port monitor used when adding a WPP print queue is Microsoft’s new IPP port, which provides a richer set of IPP functions.
- No more third-party printer drivers and modules
- WPP forces a driverless printing model. When it’s enabled, client computers can no longer load third-party printer drivers, eliminating the risk of attackers loading malicious code.
- In addition to the printer drivers, the loading of other, less well-known modules, such as third-party print providers , is blocked.
- WPP prevents Point and Print from ever installing third-party printer drivers. This eliminates the risk of an attacker pretending to be a printer and tricking users into installing malicious software.
- Common print spooler tasks are now run at lower privilege level
- Since the drivers are no longer required to run as SYSTEM, most common spooler tasks can now run as USER.
- This reduces the risk of a rogue or a buggy program taking down the whole machine. The impact will be limited to actions only the user can perform.
The challenges of transitioning to Windows Protected Print Mode
When you switch on Windows Protected Print Mode, the existing print queues and drivers on the computer will be permanently deleted. You won’t get them back if you decide to switch WPP off. It is an all-or-nothing setting.
You can’t use a driver for some printers while using Windows Protected Print Mode for others. If WPP is enabled, print drivers are nonexistent.
Not all printers are equal. Based on a sample of thousands of printer models we assessed, roughly 70% of printers will work seamlessly over IPP. For the rest, they will either function with reduced speed, lower quality or not at all.
Existing scripts that system admins may have in use, such as printui scripts to manage printers, won’t work anymore.
How enabling WPP will affect organizations and their print infrastructure
Will my printer work with Windows Protected Print Mode?
Mopria has an online list of certified printers you can use to check your printer models.
Although a printer could be listed as Mopria-certified, it doesn’t necessarily mean it will work with WPP or that you will get the most out of your printer once you switch over to using IPP in WPP mode.
At the time of writing, Windows Protected Print Mode deems some IPP attributes mandatory, even though they are technically specified as optional according to Mopria standards, such as the hardware ID. Additionally, WPP requires some IPP values to be in a specific format that some printers do not follow.
Some printers that support IPP don’t necessarily support PDF-based spool files; instead, they only support formats like URF/raster or JPEG. This still follows the specification, but these spool files will be much larger and often print in lower quality. In addition to being larger, these formats require the entire print job to be submitted to the printer before the printer can start printing them, which results in slower printing or even failure to print larger documents as the printer can’t store the entire print job.
For now, the best way to confirm that your printer is ready for WPP is to enable WPP on a test Windows machine and print from it. If your printer can’t be found when WPP is enabled, you know it’s incompatible.
Check different finishing options, especially more advanced options like stapling and tray selection if the printer supports it.
Options for printers that are non-compliant with Windows Protected Print Mode
For customers with WPP-enabled computers, PaperCut MF and NG currently support printing via Mobility Print queues that are deployed by Print Deploy. This enables printing to all printers, even those that are non-IPP-compatible.
We’re making changes in 2025 to PaperCut Hive/Pocket to support printers that are WPP ready and also printers that are not WPP ready. PaperCut Hive/Pocket Early Access registrations open in November.
Alternatively, if your printers are not ready, your printer manufacturer may soon provide a firmware update if your printers are not too old, so keep an eye out.
How to switch on Windows Protected Print Mode
Enable WPP mode via Settings
- Click ‘Set Up’. Windows will display a warning message.
- Additionally, if WPP-incompatible print queues (such as standard TCP/IP queues) were already installed, Windows would warn that they would be removed.
- After successful completion, WPP should be turned on.
Enable WPP mode via Group Policy
Via Group Policy Editor > Administrative Templates > Printers > Configure Windows protected print > Edit
Timeline and updates
Note that these dates are subject to change:
01 OCTOBER 2024
When you enable Windows Protected Print Mode for the first time after the 24H2 upgrade, the existing incompatible (such as TCP/IP) queues may not get deleted. Also, you may still be able to create TCP/IP print queues. A system reboot may fix the issues. This is a known issue, and Microsoft is working on fixing it.
04 OCTOBER 2024
Microsoft is pushing the patch KB5043178 to fix Windows protected print anomalies soon. The estimated rollout date is 8th October.
26 NOVEMBER 2024
PaperCut MF/NG 24.1 released (includes introductory support in Print Deploy for Windows Protected Print Mode - see release notes).
For customers with WPP-enabled computers, PaperCut NG/MF currently supports printing via Mobility Print queues that are deployed by Print Deploy, enabling printing to all printers, even those that non-IPP-compatible.
PaperCut’s beta support release includes simple finishing options:
- paper size selection
- copy count
- duplex (two-sided/single-sided) printing
- color or grayscale printing
19 DECEMBER 2024
Disabling WPP after toggling it multiple times may cause the Internet Port to be permanently disabled. This is a known issue and Microsoft have been made aware. This impacts printing through Print Deploy and the Mobility Print Client, causing silent failures when installing print on computers that have been used to test WPP.
JANUARY 2025
First PaperCut Hive/Pocket Windows Protected Print Mode release planned.
DATE TBC
Windows Protected Print Mode will eventually be enabled by default.