Windows Protected Print Mode (WPP) is a newly introduced feature in Windows 11 (version 24H2) and Windows Server 2025 that enhances security when printing. By enabling WPP, users can forgo installing model-specific printer drivers from various vendors, as a universal driver replaces the legacy print stack with the Internet Printing Protocol (IPP). This transition offers two main advantages: streamlining the process for users who no longer need to install, update, or search for printer drivers, and bolstering security since there’s no need to install third-party driver code.
WPP mitigates risks from vulnerabilities in print services, such as the PrintNightmare exploit, by preventing the execution of driver code in the SYSTEM context, thereby allowing most print jobs to run in user mode.
Requirements for Using WPP
-
Compatibility: WPP is supported starting with Windows 11 24H2 and Windows Server 2025, and is compatible only with Mopria-certified printers. A list of certified printers can be found on the Mopria project page. Brands like Canon, HP, Epson, Dell, Brother, Toshiba, and Ricoh predominantly support Mopria.
-
Driver Necessity: WPP utilizes the IPP stack, so the Microsoft IPP Class Driver, which is pre-installed in Windows, must be available. The IPP and IPPS printing protocols need to be enabled in printer settings, which could vary by vendor. Additionally, the printer should be accessible via TCP/UDP ports 631.
By default, Protected Print mode is disabled on Windows, but it may be enabled in future updates. To manage WPP:
- Navigate to the Settings app (Settings → Bluetooth and Printers → Printer and Scanners).
- Click the Set up button in the WPP section, and be aware that enabling WPP will remove incompatible printers, print queues, and drivers.
- It’s wise to back up a list of installed printers and drivers. You can use the PowerShell command:
Get-Printer | Export-Csv C:listprinters.csvAlso, consider using
Export-WindowsDriverto back up installed drivers. - After adjustments, restart your computer.
Once Protected Print Mode is activated, installing incompatible printer drivers is not permitted, and users will receive messages indicating that installations cannot proceed.
Group Policies and Registry Adjustments for WPP
WPP is also governed by Group Policies (GPO). The GPO option permits enabling or disabling Protected Print Mode:
- Launch the local GPO editor (
gpedit.msc). - Navigate to Computer Configuration → Administrative Templates → Printers and enable the Configure Windows protected print policy.
Registry adjustments can also activate WPP by creating several DWORD parameters under the key HKLMSOFTWAREPoliciesMicrosoftWindows NTPrintersWPP:
EnabledBy = 2WindowsProtectedPrintGroupPolicyState = 1WindowsProtectedPrintMode = 1WindowsProtectedPrintOobeConfigComplete = 1
To disable WPP, change the EnabledBy value to 0 and delete the remaining registry options.
Overall, Windows Protected Print Mode advances security by minimizing the potential attack surfaces through printer drivers while simplifying driver management for users.