The Risk of Windows Protected Print Mode (WPP)

Oct 21, 2024
Posted in: ,

Windows Protected Print Blog (1)

Windows Protected Print Mode (WPP) is the most significant printing reform in 20 years. In short, WPP is a security-enhancing printing update for Windows that requires lower privileges and eliminates the need for third-party drivers. Removing third-party drivers from the equation removes security risks that can and have led to cyber criminals gaining system-level access. 
 
Transitioning to WPP is an all-or-nothing setting within Windows. Once enabled, all existing print queues and drivers are removed, and print queues have to be reconfigured from scratch. There’s no undo (CTRL+Z) to reverse this change!  
 
Before enabling WPP, it is crucial to research its compatibility with your device: numerous devices and finishing options may be rendered inoperable if enabling WPP too early. 
 
We will answer all of the following questions in this article: 

  • What is Windows Protected Print Mode?
  • When is Microsoft launching WPP?
  • What does this mean for me?
  • Does Century recommend that I enable WPP?


All of these questions are answered by Craig Doeden, our Solutions Director, in this brief video explainer: watch it here! 

What is Windows Protected Print Mode? 

Windows Protected Print Mode is a security enhancement done by Microsoft to simplify printing and to remove possible vulnerabilities. Third-party drivers are being phased out by Microsoft, essentially removing the Achilles’ Heel of printing. 
 
Print driver and print stack-related issues account for 9% of all Windows security issues reported to Microsoft Security Response Center (MSRC). This is because the spooler runs with system privileges and loads code on top of the network—making the entire operating system exposable to malware. 
 
This led to PrintNightmare—allowing hackers to exploit the vulnerability and remotely install programs, view or delete data, and even create new user accounts with full user rights. Microsoft introduced patches to PrintNightmare, however they were only a temporary workaround. Admin rights are now required to install printers and only protects a shared computer, it does not correct the spooler system privileges issue that allowed attackers in. 
 
With the fundamental flaw of third-party drivers still at-large, Microsoft looks to Windows Protected Print mode to close the vulnerabilities for good. WPP moves all printers to the Internet Printing Protocol (IPP) standard, removing the need for third-party drivers entirely.  
 
Under WPP, job and print delivery will utilize IPP, the core transport protocol—a well-established, open standard that provides a framework for job submission, status tracking, and printer discovery. Client computers will no longer be able to load print drivers from third parties, eliminating the risk of malicious code from attackers. Common spooler tasks will now run as user, since drivers are no longer required to run as system, reducing the risk of a buggy program infiltrating the system.  

When is Microsoft launching WPP? 

Microsoft launched WPP on October 1st, 2024. It will remain optional for a while as users slowly adopt the new system and any issues with WPP are resolved. Windows Protected Print mode will be a default setting in 2027. 

What does this mean for me? 

WPP is requiring that all devices become Mopria certified. Not all devices are certified yet—and even if they are Mopria certified, that doesn’t mean it will work appropriately in WPP mode.  

If you enable WPP on a device that is not ready for WPP—it will not work. Many devices are still reliant on specific drivers that WPP will not allow—drivers that will have been permanently deleted upon enabling WPP. 

If a device does support IPP, that doesn’t mean it supports IPP’s PDF-based spool files; it may only support formats like JPEG or URF/raster. This requires the print job to be submitted to the printer entirely before the printer can begin printing, causing slower printing and even failure to print for larger documents if the printer is unable to store the entire print job. 

It is crucial to note that several finishing options may be inaccessible under WPP. You may lose functionality of these features: 

  • Booklet Folding
  • Stapling
  • Tray Selection
  • Hole Punch
  • Folding
  • And More 

All of your devices, the entire fleet, should be thoroughly assessed for compatibility with WPP & IPP before implementation.  

Does Century recommend that I enable WPP? 

Century does not recommend enabling WPP immediately and instead holding off a bit. Again, this is an all-or-nothing switch that severs ties to print drivers completely, and you cannot undo it. Numerous devices and finishing options may be rendered inoperable if enabling WPP too early. 

Look into WPP 

We ask that you pass this WPP article to your IT department. Have discussions with them on the advantages, the disadvantages, the good, the bad, and all that comes with it. A lot can and will change in the three years leading up to the 2027 default launch, but as WPP stands right now, we do not recommend enabling it just yet. 
  
Questions about WPP? Find answers here.