How to Secure Your Printer with Windows 11’s Protected Print Mode

Proprietary drivers from printer manufacturers have posed challenges for Microsoft for quite some time. The company estimates that around nine percent of security vulnerabilities in Windows stem from the printing system.

For instance, in 2021, a significant security flaw was discovered in the printer spooler, allowing malicious actors to elevate their access rights. This level is even higher than administrator privileges, permitting the installation of various applications and extensive changes to system settings.

This vulnerability led to the development of several patches over a few months, ultimately dubbed “Print Nightmare.”

In the upcoming Windows 11 24H2 update, Microsoft has introduced a feature called Windows Protected Print mode (WPP), which was previously announced. This mode replaces many manufacturer drivers and blocks the installation of new printer drivers.

The goal of this initiative is to thwart the potential introduction of harmful code through drivers. Moreover, it ensures that common printing tasks are executed with user rights rather than system rights, effectively addressing the security hole that contributed to the Print Nightmare issue.

The WPP operates on the Internet Print Protocol (IPP) and employs a standardized IPPClass driver, ensuring compatibility with all printers and multifunction devices certified by the Mobile Printing Alliance (Mopria). This alliance, initially formed by Canon, HP, Samsung, and Xerox, now includes major printer manufacturers as members.

To prevent compatibility issues, WPP is not enabled by default in Windows and must be manually turned on by the user. You can check if your printer or multifunction device is supported at mopria.org/certified-products.

If your device is compatible, enabling WPP is simple: open the “Settings” from the Start menu and navigate to “Bluetooth and devices” > “Printers and scanners.” Scroll down to “Windows Protected Print Mode” and click “Set up.” After confirming the two security prompts with “Yes, continue,” Windows will manage the setup for you.

Once enabled, Windows will oversee print jobs using the WPP driver. If the original manufacturer’s driver provided specific features for printing, you may find corresponding alternatives in the Microsoft Store for WPP drivers.

If you decide to disable WPP later, simply click “Remove” under “Bluetooth and devices” > “Printers and scanners” > “Windows Protected Print Mode” and confirm with “Yes.” Keep in mind that you will need to reinstall the original manufacturer drivers afterward.