Posted October 2024

Microsoft released operating system update 24H2 for Windows 11 that included a new security feature called WPP (Windows Protected Print). It is currently not enabled but can cause significant issues on end users workstations related to printing when it is enabled. TGI does not advise turning it on as the only recovery from enabling it is recreating all print queues from scratch which falls outside of our standard maintenance. Anyone who chooses to enable it does so at their own risk.

On October 1^st, 2024 Microsoft released OS update 24H2 for Windows 11 that included a new security feature called WPP (Windows Protected Print).  It is currently not enabled but can cause significant issues on end users workstations related to printing when it is enabled.

What is Windows Microsoft Protected Print Mode?

Windows protected print mode (WPP) is a security-enhanced printing platform for Windows that runs with lower privileges and uses Internet Printing Protocol (IPP) to eliminate the need for third-party drivers. Together, these remove significant security risks that can lead to attackers gaining SYSTEM-level access. Whether you are an IT manager, security professional, or business owner, understanding the impact and benefits of WPP is essential as it changes the landscape of print infrastructure. Below is an overview of WPP, and what your organization needs to know prior to implementing this feature to minimize the impact on your end users.

How Windows Protected Print Mode works

• Printer and job delivery is based on the Internet Printing Protocol (IPP) and not print drivers.
• No more third-party printer drivers and modules can be loaded on end user computers.
• Common print spooler tasks are now run at lower privilege level, minimizing SYSTEM-level access attacks.

The challenges of transitioning to Windows Protected Print Mode

1. When you switch on Windows Protected Print Mode, the existing print queues and drivers on the computer will be permanently deleted. You won’t get them back if you decide to switch WPP off. It is an all-or-nothing setting.
2. You can’t use a driver for some printers while using Windows Protected Print Mode for others. If WPP is enabled, print drivers are nonexistent.
3. Not all printers are equal. Based on a sample of thousands of printer models we assessed, roughly 70% of printers will work seamlessly over IPP. For the rest, they will either function with reduced speed, lower quality or not at all.
4. Existing scripts that system admins may have in use, such as printui scripts to manage printers, won’t work anymore.

Reasons to Hold Off on Turning It On:

1. When WPP is implemented, ALL current printers and ports using TCP/IP protocol will be deleted. The only way to recover from this is to manually recreate them.  You cannot fail back to the previous setup by disabling WPP. If your organization has many printers this can be very disruptive to your environment.  WPP is an all or nothing setting change.
2. Compatibility Issues: Many existing applications and printers may not fully support Protected Print Mode, leading to potential printing disruptions or errors. Supported printers require to be MOPRIA certified.
3. Workflow Disruption: Enabling this feature could impact your current printing processes, requiring adjustments to workflows that might not be immediately feasible.
4. User Experience: Some users have reported a more complicated printing experience, including additional steps for accessing print jobs. This could lead to frustration and decreased productivity. Prints will take longer to process and output will be delayed for end users.
5. Updates and Support: As this feature is still relatively new, Microsoft and other software providers are actively working on improvements. It may be beneficial to wait for updates that enhance compatibility and functionality.
6. Security Alternatives: There are other established security measures that can effectively protect sensitive documents without the complexities associated with Protected Print Mode. We are here to discuss and recommend the best solutions for your needs.

On workstations, version 24H2+ and beyond will add a section to the Printers and Scanners settings page as well.

Do not setup Windows Protected Print Mode as it will again delete all of your printers.  It will cause disruption if you are not planning for this in advance.  This cannot be blocked by Group Policy either, meaning if an end user does this they will most likely be placing a support ticket to correct it.

How TGI can help:

As your current partner providing Multifunction Printers, Single Function Printers, and Print Management Solutions, we have the expertise to analyze your current print environment in order to determine if/when your hardware and software are compatible with WPP, prior to you making any changes that may have an adverse impact on your end user printing environment.

In summary, while Windows Protected Print Mode has its advantages, we believe that postponing its activation until we have a discussion with you will better serve your current operations. We are committed to keeping your environment secure, efficient, and fully functional without interruptions and we welcome the opportunity for a discussion.

If you have any questions or concerns, please feel free to reach out to our support team.