Microsoft ushers in a new era of secure printing
Microsoft is ushering in a new era of secure printing with the biggest change to the Windows print stack in more than 20 years. On 1 October 2024, Microsoft launched Windows Protected Print Mode (WPP), its new secure printing platform, to prevent future print vulnerabilities and attacks. WPP is designed to work with Mopria-certified printers and hardens the entire print stack, blocking third-party drivers. This ties into Microsoft’s deprecation of its legacy printer driver, with servicing of third-party drivers ending and no new drivers available through Windows Update from 2025. While WPP is not currently enabled as the default in Windows, it will eventually be in Windows 11, signifying a shift to a more secure and driverless Windows print experience.
The security challenges of traditional printer drivers
For decades, printer drivers have been the intermediary between computers and printers, translating print jobs into a language printers could understand. However, in today’s fast-evolving threat landscape, securing the vast legacy ecosystem of printer drivers for different manufacturers and models while supporting myriad page description languages (PDLs) is not sustainable.
There are also a range of compatibility issues between legacy drivers and modern security technology, including Control-flow Enforcement Technology (CET), Control Flow Guard (CFG), and Arbitrary Code Guard (ACG). Microsoft depends on printer manufacturers to update these drivers, making the printing system vulnerable to modern exploits.
Indeed, security concerns around the print infrastructure continue to increase, with IT decision-makers in Quocirca’s study reporting that employee-owned home printers (33%) and office printers (29%) are risks to their organisation. Not only are security risks created through paper documents, but devices can be attacked and used to gain access to the network. Printer drivers and print management software are increasingly vulnerable.
Meanwhile, print driver deployment is a top IT administrative burden for organisations. Quocirca’s Print Security, 2024 study reveals that print driver deployment is a key challenge for IT. Overall, 49% of respondents cite admin burden as a top challenge, followed by the complexity of driver deployment across a mixed fleet (42%), with 39% concerned that vendor drivers may introduce security vulnerabilities.
According to Microsoft, the Windows print system has historically been a frequent attack target. Print bugs played a role in Stuxnet and Print Nightmare, accounting for 9% of all cases reported to the Microsoft Security Response Center (MSRC) over the past three years. Microsoft reports that Windows Protected Print (WPP) mode mitigated over half of those vulnerabilities.
Microsoft’s WPP is a complete redesign of the printing subsystem to reduce the attack surface and provide a more secure printing user experience. It embraces IPP-based printing and does not permit third-party drivers.
The rise of IPP and PSA: Driverless printing
In recent years, there has been a growing movement towards driverless printing driven by the adoption of the Internet Printing Protocol (IPP and Print Support App [PSA]). The Microsoft IPP Class Driver is a Windows driver that enables remote printing from a computer to a printer using the IPP, removing the need for third-party drivers. OEMs can support their printers by creating a PSA that offers custom functionality. PSAs are distributed and automatically installed via the Windows Store. This simplifies the printer set-up process by automatically detecting and configuring compatible printers.
IPP printing offers several advantages, such as built-in encryption, access control, code simplification, and authentication. However, IPP printing is still driver-based. For example, printer sharing will either set up a driver or install an IPP printer in the current configuration. This means it still presents some risk to security.
Microsoft’s modernisation of the printing stack
WPP builds on the existing IPP print stack where only Mopria-certified printers are supported and disables the ability to load third-party drivers and direct IP printing. This is because when WPP is enabled, non-IPP print drivers and TCP/IP ports are removed. These WPP legacy configurations are no longer available to limit the opportunity for attackers to leverage the spooler to modify files on the system. WPP also uses transport security, advising users when their traffic is encrypted and, when possible, encouraging users to enable encryption. Microsoft released WPP on 1 October as part of its Windows 11 version 24H2 security baseline release. WPP is not currently enabled by default.
What about legacy devices?
While Mopria-certified printers will work, the shift to WPP could cause an administrative headache for organisations using older legacy devices – of which there are many. Once WPP is enabled, non-IPP print drivers and standard TCP/IP ports are removed (only the IPP driver is preserved) Turning off WPP re-allows using custom drivers and ports.
Microsoft aims to offer the most secure default configuration and the flexibility to revert to legacy (driver-based) printing at any time if users find their printer is not compatible.
While the move towards driverless printing is a positive development, it may lead to compatibility issues with older printers. If a printer’s firmware or hardware does not support IPP or PSA, it may not be compatible with Windows 11. This could force users to upgrade their printers, especially in organisations with large fleets of legacy devices.
Will Windows 11 force a printer refresh?
However, the transition to driverless printing is likely to be gradual. Many manufacturers are already updating their printer models to support IPP and PSA, and Microsoft is working to ensure compatibility with older devices. As the benefits of driverless printing become more apparent, the demand for older, incompatible printers is expected to decline. However, as Windows 10’s end of life approaches and organisations move to Windows 11, they will need to consider replacing older devices.
This is already spurring a technology refresh for laptops, with 79% of respondents in Quocirca’s AI study saying they plan to refresh their PC estate to take advantage of AI PCs. Notably, 73% also expect to refresh their printers/MFPs at the same time. Microsoft has confirmed that Copilot+ PC or any ARM-based device will support printing in Windows 11, either Mopria certified or those that have PSAs.
Quocirca opinion
Microsoft is shaping the future of printing through the Universal Print cloud service and IPP platform. The demise of the traditional print driver marks a significant turning point in the evolution of the print ecosystem, addressing longstanding security and IT administration challenges associated with driver deployment. Organisations will need to carefully plan their transition to avoid disruption to printing, particularly those operating a broad printer fleet with a mix of new and legacy devices. As yet, it is unclear how label printers and wide-format printers will be supported. However, given that Mopria reports that it has certified over 120 million printers and MFPs from various brands, the majority of printers will have some level of support.
This transformation also presents new opportunities for the print industry. Managed print service (MPS) providers can position themselves as strategic partners, assisting customers in assessing their fleet’s compatibility with Windows 11 WPP printing requirements. This could lead to increased demand for hardware refreshes and a renewed emphasis on recycling programmes for incompatible devices that need to be replaced.
By transitioning to a more secure and streamlined printing platform through WPP, which will eventually be a default setting in Windows 11, Microsoft is improving the overall user experience mitigating potential security risks. While this shift may require some adjustments for organisations, it ultimately leads to a more robust and protected printing infrastructure, particularly in the era of new AI PCs.