This week is all about another new feature within Windows 11, version 24H2. Mainly to create awareness. That new feature is Windows protected print mode. Windows protected print mode builds on top of the existing IPP print stack. Main enhancement is that only Mopria certified printers are supported and that it disables the ability to load third-party print drivers. Securing the printing stack has always been, and still remains, challenging. Mainly because it has to deal with compatibility of legacy drivers and high effective permissions of the printer drivers. That’s not all that easy to address. Windows protected print mode, however, is a step into the right direction. That adds some long-awaited improvements to the print security in Windows that should make the impact smaller of challenges within the printing stack, as seen with Stuxnet and Print Nightmare. This post will have a brief look at the reasoning behind Windows protected print mode, followed with the steps for configuring Windows protected print mode. This post will end with a look at the experience with Windows protected print mode.
Note: Windows protected print mode is a new feature of Windows 11, version 24H2.
Introducing Windows protected print mode
Windows protected print mode is the way forward for a more secure print experience on Windows devices. The introduction of Windows protected print mode actually came together with another really important announcement by Microsoft. That announcement is the end of servicing plan for third-party printer drivers on Windows. That end of servicing plan is a multi-year approach to end the servicing of the legacy v3 and v4 Windows printer drivers. Starting with Windows 10 version 21H2, there is inbox support for Morpia certified printers via the Microsoft IPP Class Driver. That should remove the need for printer manufactures to create their own drivers for their printers. The idea is that, if needed, any customizations can be provided via a print support app (PSA) and can be distributed via the Microsoft Store.
That change enables Microsoft to provide a more secure printing solution to Windows devices. No longer the need for providing compatibility with legacy printer drivers that are incompatible with the security mitigations and protections that are implemented over the years. No longer the need for providing the ability to load third-party code that provide full control of the print spooler process. All because the Internet Printing Protocol (IPP) will be supported out-of-the-box. Windows protected print mode builds on that IPP-stack and prevents the ability to load third-party print drivers. Eventually, that will be the standard for printing in Windows. For now, that’s the goal that organizations should work towards to. A better protected and more controlled print experience, and a mitigation for many print vulnerabilities.
Note: Keep in mind that currently not every printer is compatible with Windows protected print mode.
Configuring Windows protected print mode
When looking at configuring Windows protected print mode, it all starts with the Policy CSP. That CSP contains the Printers area. That area contains many ADMX-backed settings that can be used to configure printer related behavior, including a new setting to manage Windows protected print mode. All of the available settings are backed by the Printing.admx. Specifically to the Windows protected print mode it’s the ConfigureWindowsProtectedPrint setting of the CSP that is backed by the ConfigureWindowsProtectedPrint setting in the ADMX and eventually configures the WindowsProtectedPrintGroupPolicyState registry value. At this moment this specific setting is not yet available within the Settings Catalog, which is the reason to fallback to a Custom configuration profile. That enables the configuration of any available CSP setting in Windows. As it’s an ADMX-backed setting, keep in mind that it requires a specific manner to enable such a setting. The following nine steps walk through the configuration of enabling Windows protected print mode for Windows 11, version 24H2 and later.
- Open the Microsoft Intune admin center navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create > New policy to open the Create a profile page
- On the Create a profile page, provide the following information and click Create
- Platform: Select Windows 10 and later as value
- Profile type: Select Templates as value
- Template name: Select Custom as value
- On the Basics page, provide a unique Name to distinguish the profile from other custom profiles and click Next
- On the Configuration settings page, as shown below in Figure 1, click Add to add the following row and click Next
- OMA-URI setting (1) – This setting is used to enable Windows protected print mode
- Name: Provide a name for the OMA-URI setting to distinguish it from other similar settings
- Description: (Optional) Provide a description for the OMA-URI setting to further differentiate settings
- OMA-URI: Specify ./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureWindowsProtectedPrint
- Data type: Select String as value
- Value: Specify <enabled/> as value
- On the Scope tags page, configure the applicable scopes and click Next
- On the Assignments page, configure the assignment and click Next
- On the Applicability rules page, configure at least an applicability rule for Windows 11 version 24H2 and later, to prevent errors in the reporting, and click Next
- On the Review + create page, verify the configuration and click Create
Note: The setting for Windows protected print mode will come over time to the Settings Catalog.
Experiencing Windows protected print mode
After applying the configuration for Windows protected print mode, it’s pretty straight forward to verify and experience that configuration. To verify the configuration, simply open the Settings app and navigate to Bluetooth & devices > Printers & scanners. Starting with Windows 11, version 24H2, that contains the new setting Windows protected print mode in the Printing preferences. That setting should be grayed out and set to Turn Off, as shown below in Figure 2. After enabling Windows protected print mode, every printer that is not compatible will automatically be removed.
Important: Every printer that is not compatible with Windows protected print mode, will be removed.
More information
For more information regarding Windows protected print mode refer to the following docs.
- Printers Policy CSP | Microsoft Learn
- Windows protected print mode – Windows drivers | Microsoft Learn
- Windows protected print mode for enterprises and developers – Windows drivers | Microsoft Learn
- More information on Windows protected print mode for enterprises – Windows drivers | Microsoft Learn
- A new, modern, and secure print experience from Windows – Microsoft Community Hub
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Great article Peter, thanks. Is there a timeline from Microsoft talking about a date they will default the setting to ‘Enabled’
Not really. The only timeline at this moment is about the end of servicing plan: https://learn.microsoft.com/en-us/windows-hardware/drivers/print/end-of-servicing-plan-for-third-party-printer-drivers-on-windows
Regards, Peter
Hi Peter, thanks for another great article. Would changing the OMA-URI value to serve to prevent users from being able to turn on this function?
Haven’t specifically tested that yet, but the documentation mentions the following: “If you disable this setting or don’t configure it, there aren’t any restrictions on the print drivers that can be installed or print functionality”
Regards, Peter
But how do we disable it? I tried putting disabled instead of enabled and while it says success it does not seem to have actually disabled the ability to turn on WPP
Hi Tim,
From what I have seen so far, you can’t. The documentation mentions the following: “If you disable this setting or don’t configure it, there aren’t any restrictions on the print drivers that can be installed or print functionality”
Regards, Peter
In case this is useful to anyone this is what I have discovered.
The relevant registry key is here:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\WPP
By default WindowsProtectedPrintGroupPolicyState is set to 0 which seems to mean Not Configured.
Changing this value to 2 causes the setup button for WPP to become greyed out which prevents the user from enabling WPP.
Thank you for sharing, Tim!
Regards, Peter
Good day Peter.
I need to turn off protected mode please help.
Hi CNYTYLMZ,
Please have a look at the other comments that are referring to a registry key that can be used.
Regards, Peter