Rashid Maknin, Senior Product Manager
4 min read
Windows Protected Print mode is a new path to soaring secure printing—creating protected environments, eliminating the need for third-party drivers, and keeping attackers at bay.
Only 16% of IT decision makers are confident in their print infrastructure’s security. Something needs to change. At Microsoft, they’re taking a driverless and IPP-driven approach to mitigate vulnerabilities and drive up users’ confidence in printing.
Windows Protected Print (WPP) is a mode for the Windows print stack that introduces new security protections and blocks third-party drivers to address and phase down security vulnerabilities, such as those exploited in Print Nightmare and Stuxnet.
This post will dig deeper into WPP, explore how it future-proofs security, and give you the answers you need to understand the implications and benefits of enabling this feature.
What is Windows Protected Print Mode?
Microsoft has introduced the Windows Protected Print Mode (WPP) to secure printing for users who enable it—and to modernize the Windows Print System.
Starting with Windows 11, this is a mode that enables new security protections for its users. It uses the existing Internet Printing Protocol (IPP) as the core transport protocol to remove the need for third-party drivers and modules. This IPP stack only supports Mopria-certified printers. Users print using driverless printing via the Windows modern print stack.
Once you enable Windows protected printing, the system will automatically uninstall any printers that use third–party drivers and prevent you from installing new ones. The mode runs printing tasks with lower privileges (user privileges replacing SYSTEM privileges), removing security vulnerabilities associated with drivers and spoolers.
Why it matters:
- 9% of Windows security issues reported to the Microsoft Security Response Center were caused by print stack-related issues
- 67% of companies have experienced data loss because of unsecure printing
- 61% of CIOs and 44% of CISOs say print security demands are increasing
Windows Protected Print Mode Modernizes Secure Printing
The protected printing mode helps organizations future-proof their print environment and practices. It offers a modern and secure print system with enhanced compatibility.
🔎 Zoom in:
One main motivation behind WPP is enhancing print security mechanisms and introducing secure-by-default environment as the new standard.
To make print security as frictionless as possible, Microsoft introduced the IPP-driven print stack that eliminates third-party drivers.
By removing the need for third-party drivers, Microsoft simplifies their security model and no longer has to co-drive security promises (between the Windows stack and third parties). This solves challenges such as:
- Driver attacks like Print Nightmare (Windows spooler vulnerability)
- Allows compatibility with modern mitigation, like Control Flow Guard (CFG), Arbitrary Code Guard (ACG), and Control Flow Enforcement Technology
- Removes dependability on third-party providers
- Supports 49% of IT admins citing admin (like managing drivers) as a burden
The WPP mode doesn’t just address existing security challenges. It also comes with various security improvements, such as:
- Module blocking
- Per-user XPS rendering
- Lower privileges for common Spooler tasks
- Redirection guard and other binary mitigations
Our SAFEQ printing solutions support Windows Protected Print. Following Microsoft’s announcement in October 2024, we’ve worked to implement updates that ensure full compatibility with this security standard.
Y Soft is a longstanding, active member of the Mopria Alliance. We’ve long been committed to enabling secure, driverless printing for organizations across the globe. This makes the WPP integration a natural extension as we continue to provide secure and versatile print management solutions on-premises and in the cloud.
Achieve Balance Between Secure Printing and Automation
What does WPP look like for SAFEQ users? Let’s start with SAFEQ Cloud.
With SAFEQ Cloud, when customers turn on Windows protected printing, not much will look different. The PC Client still automatically creates the print queues available to end users, providing the same configuration-less experience they are used to. But, instead of using the SAFEQ Cloud driver when they print, they’ll use the built-in Microsoft IPP Class driver.
Users have a slightly different interface when using this driver and, while most finishing options will be available, there may be some limitations on advanced printing options.
Like all things SAFEQ Cloud, our aim is to provide simplicity with any update. This ensures seamless and convenient experiences for users and IT managers.
📖 Dig deeper: SAFEQ Cloud No Print Management
With this integration, we’re simplifying print queue administration by automating the creation and management of print queues. At the same time users can enjoy a more reliable and efficient printing process without compromising on security.
The benefits:
- Enhanced security: Ensures sensitive data remains secure from the moment a print job is initiated until it is safely in the hands of the authorized user.
- Driverless printing: Allows client PCs to print without traditional printer drivers.
- Improved user experience: Complete seamless and secure printing experience.
SAFEQ 6 is already WPP-compatible when using an IPP/S-based print queue in conjunction with the Mobile Gateway (MiG). This setup allows SAFEQ 6 to use WPP’s security framework, identifying users through locally authorized usernames and securing print jobs from submission to delivery.
How to Transition to Windows Protected Printing (WPP)
To enable Windows Protected Print mode, you’ll need to switch it on in your settings. Keep in mind that it's an all-or-nothing type setting, which means activating it permanently deletes existing print queues and drivers on the PC.
Once you go WPP, you never go back 👉🏼 Old queues or drivers will not come back if you switch off the mode. Instead, they’ll need to be reinstalled.
Beware that not all printers are equal in their compatibility with WPP. Some may function with slowed-down speed or lower quality once it's enabled. Some printers won't be compatible with the mode at all.
FAQs on Windows Protected Print
Q1) How do I Enable Windows Protected Print Mode?
Customers who want to enable WPP mode do so via Settings or Group Policy.
- Navigate to settings > Bluetooth & devices > printers & scanners > printer preferences and click ‘Set Up’.
- Alternatively, use Group Policy Editor > Administrative Templates > Printers > Configure Windows protected print.
Q2) Will My Printer Work with Windows Protected Print Mode?
The Windows Protected Print (WPP) mode is designed to work exclusively with Mopria-certified printers. Mopria Alliance has an online list of certified printers you can use to check your printer models. Please note that not all Mopria-certified printers will intuitively work with WPP, and some may require specific IPP attributes.
Final Points
With the launch of WPP, Microsoft has introduced the greatest change to the Windows print stack in +20 years. The windows protected print capability enhances print security mechanisms and defines secure-by-default environment as the new standard.
Enabling the mode is one of many ways IT and print administrators can step up their security protections and reduce vulnerabilities in their print stack.
📖 Dig deeper:
Another way to see soaring security in your print environment is to introduce zero-trust security in your organization. Learn what it is and how it works here:
