Image: Canon
The printer manufacturers’ proprietary drivers have been a thorn in Microsoft’s side for some time now. According to the company, nine percent of Windows security problems are caused by the printing system.
In 2021, for example, a security vulnerability in the printer spooler was found that allowed attackers to gain system rights. System rights are one level above administrator rights and allow the installation of arbitrary applications and almost unlimited changes to Windows settings.
As new patches had to be developed for several months to close the gap, it was finally given the name “Print Nightmare”.
In Windows 11 24H2, Microsoft has now integrated the Windows Protected Print mode, or WPP for short, which was announced some time ago. It replaces the manufacturer’s drivers on many printers and at the same time prevents the installation of new printer drivers.
This is intended to prevent malicious code from entering the computer via the drivers. It also ensures that the common tasks of the printer spooler are no longer executed with system rights, but only with user rights. In this way, Microsoft is closing the security gap that led to the Print Nightmare.
Windows 11 24H2 contains the new Windows Protected Print mode, which you must first switch on via the “Settings”.
Sam Singleton
WPP is based on the Internet Print Protocol (IPP) and uses a standardized IPPClass driver. This works with all printers and multifunction devices that have been certified by the Mopria Alliance. Mopria was originally founded by Canon, HP, Samsung and Xerox and today all major printer manufacturers are members of the Alliance.
To avoid compatibility problems, WPP is not active by default in Windows, but must be switched on by the user. You can look up whether your printer or MFC is compatible at https://mopria.org/certified-products.
If it is, you can easily switch to WPP: Open “Settings” in the Start menu and go to “Bluetooth and devices” -> “Printers and scanners”. Scroll down to “Windows Protected Print Mode” and click on “Set up”. After you have answered the two security questions with “Yes, continue”, Windows will do the rest.
Windows then takes control of the print jobs with its WPP driver. If the manufacturer’s original driver provided extended functions for printing, you may find corresponding tools for the WPP drivers in the Microsoft Store.
If you want to deactivate WPP again, just click on “Remove” under “Bluetooth and devices”->”Printers and scanners”-> “Windows-protected print mode” and confirm with “Yes”. Just be aware that you must then reinstall the manufacturer’s old drivers.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
Author: Roland Freist, Contributor, PCWorld
Roland Freist is a freelance IT journalist covering topics related to Windows, applications, networks, security and the Internet.
