Everything You Should Know About Microsoft Windows Protected Print (WPP)

Read This About Enabling Windows Protected Print (WPP)

On October 1, 2024, Microsoft launched Windows Protected Print Mode (WPP), a security-enhanced printing platform to prevent future print vulnerabilities and attacks, like PrintNightmare in 2021. This vulnerability allowed attackers access to remotely execute exploitative code through Windows print spoolers.

Microsoft identified that most printing vulnerabilities were caused by older drivers, which are incompatible with many modern security migrations. Their solution is to block the use of third-party drivers and instead default to IPP printing only. This will prevent any installs of IP/TCP printers and direct IP printing in your existing print stack.

Microsoft released WPP on October 1 as part of their Windows 11 version 24H2 security baseline release. WPP is not enabled by default at this time, but the plan is that WPP will be the default configuration by 2027—dates subject to change. 

Why Vasion Print Customers Don’t Need to Enable WPP

Vasion Print customers’ print stack is already secure and protected:

  1. You’ve eliminated your print servers. 
  2. Vasion Print verifies and permits the installation of certified drivers only.
  3. You have full centralized control over all drivers to verify only certified drivers are in use.
  4. You can configure Vasion Print to prevent the installation of drivers from outside our system. 

Because of this, during the height of PrintNightmare, none of our customers were affected by the vulnerability. 

While WPP is not enabled by default at this time, we recommend holding off from enabling Windows Protected Print Mode. We are updating Vasion Print to be compatible with WPP to ensure you have no disruptions if you enable it in the future. 

You’ve Got Questions, We’ve Got Answers

Q: Do I need to enable WPP to ensure my print environment is secure?

A: No. With Vasion Print, you are already secure. By eliminating your print servers, you’ve also eliminated a major attack surface in your print environment. 

Q: How will Windows Protected Print Mode affect my print environment if enabled? 

A: By enabling WPP, you’ll end up being unable to manage the Windows machines that have WPP enabled. You also lose access to many advanced features because WPP doesn’t support them. 

  • Installation Restrictions: It will disable your ability to install any TCP or IP printers and print from those ports, as it only allows for IPP printing. 
  • Driver and Queue Removal: It will automatically remove all existing drivers and print queues from your environment 
  • Reconfiguration Required: It will require you to reconfigure all print queues to an IPP port only. 

Q: How do I know if my printers support WPP?

A: WPP supports any Mopria-certified printers. Luckily, all popular printer manufacturer brands have certified their products with Mopria, so this should not be cause for concern. To find out which of your printers meet this certification, review their certified product list

Q: Does Vasion Print support Windows Protected Print Mode? 

A: We are updating Vasion Print to be compatible with WPP mode to ensure no disruptions to your print environment. We will follow up with additional updates as we continue to progress. 

Q: What if I’ve already enabled WPP?

A: You probably noticed that any TCP/IP printer, queue, or third-party driver disappeared from your printer list and direct IP printing stopped working altogether. But no worry, this is reversible

First, disable the WPP settings. Then, any previously deployed printers and queues will be restored. However, manually uploaded printers can not be restored and must be added again. If you need assistance, please contact Vasion’s Support team. 

Q: Who should I reach out to if I have additional questions?

A: Please reach out to Vasion’s Support team if you have any questions or concerns.

Leave a Reply

Your email address will not be published. Required fields are marked *