Windows Protected Print Mode (WPP) changes printing on Windows significantly. The main idea is to improve security and make printing convenient. Modern printers work automatically under WPP so that third-party printer drivers are no longer required.
There are downsides, especially when it comes to printers that don’t support the functionality. Another downside is that printer apps by the manufacturer may be installed automatically.
Good news is that the new mode does not lock out printers that are not supported. There are still ways to use third-party drivers, but the default mode will be Protected Print Mode going forward.
Security improvements
Windows Protected Print Mode improves security significantly by eliminating third-party printer drivers. These drivers can’t even be installed anymore, which eliminates an attack vector and reduces driver related issues as well.
Microsoft says that about 9% of all Windows cases reported to the Microsoft Security Response Center are print bugs. The company’s Microsoft Offensive Research & Security Engineering team claims that about 50% of all Windows Print related vulnerabilities are mitigated by Windows Protected Print Mode.
To put these changes in some context, MORSE did an analysis of past MSRC cases for Windows Print to assess if these changes would help. What we found is that Windows Protected Print Mode mitigated over half of those vulnerabilities. Major vulnerabilities, including Stuxnet and Print Nightmare, used print bugs in their attacks.
To better understand how MPP improves security, it is necessary to look at the current state of printing on Windows.
The current security model relies on a shared approach. Both the native Windows printing stack and third-party drivers play a role here. While Windows’ print stack is maintained, the same can not be said for all third-party printer drivers. Drivers may no longer be supported or may be incompatible with modern security features of the Windows operating system.
Besides that, printer drivers run as SYSTEM on Windows, which gives them a wide range of permissions that even exceed those of a regular administrator account.
Manufacturers and publishers are responsible to address vulnerabilities. This becomes a problem when they do not.
Printing features, such as Internet Printing, may also introduce vulnerabilities, if the feature does get implemented. Microsoft estimates that printer drivers implement over 40 different Printer Document Languages, which can “result in vulnerabilities”.
Advantages
With Windows Protected Print Mode “normal spooler operations are deferred to a new Spooler” which implements the following improvements:
- Limited/Secure Print Configuration — Certain types of attacks, such as tricking the print spooler into loading malicious code, are ineffective.
- Module Blocking — APIs that allow the loading of modules will be modified to prevent the loading of new modules.
- Per-User XPS Rendering — XPS rendering runs as USER and no longer as SYSTEM under WPP.
- Lower Privileges for Common Spooler tasks — runs with restricted rights instead of as SYSTEM.
- Binary Mitigations — Several security mitigations may be enabled thanks to the removing of third-party binaries.
- Point and Print — no longer installs third-party drivers.
- Better Transport Security — supports encryption and will recommend using encryption whenever possible.
Windows Protected Print Mode limitations
The mode supports so-called Mopria certified printers only. The creators of the standard describe it in the following way:
Mopria is a printer industry designed standard offering a simple and seamless way to print to millions of certified printers and multi-function printers. It eliminates the need to install any additional software or drivers allowing you to easily print, regardless of the printer’s brand.
Once the change lands in Windows, the default becomes WPP. This eliminates the need to install third-party drivers and will also limit the Print Spooler service to a restricted service. This alone will reduce
Older printers that are not certified won’t benefit from these improvements. Windows administrators may install third-party printer drivers in these cases to ensure that the printer and its functionality can be used.
Another issue is that manufacturers may define Print Support Apps (PSA). These may get installed automatically on devices to add custom features and support. Users may uninstall them, but this is a manual process.
Closing Words
Windows Protected Print Mode improves security on Windows once it lands. The first version of MPP landed in experimental builds and it may take a while before it lands in stable versions of Windows.
Old printers will continue to work, but they won’t benefit from MPP and its improvements.
Windows 10 and 11 will support the feature. Microsoft announced recently an extension of Windows 10 support.
Now You: which printers do you use?