Microsoft has revealed the introduction of Windows Protected Print Mode (WPP), a new feature that brings significant security enhancements to the Windows print system. 

According to Johnathan Norman, the principal engineer manager at Microsoft Offensive Research & Security Engineering (MORSE), WPP is built on the existing IPP print stack, supporting only Mopria certified printers and disabling the loading of third-party drivers. Norman emphasized that such measures are crucial for enhancing print security in Windows, addressing vulnerabilities that have historically been exploited, as seen in incidents like Stuxnet and Print Nightmare.

The MORSE team conducted a comprehensive analysis of Windows Print-related cases reported to MSRC, revealing that Windows Protected Print Mode successfully mitigated over half of the vulnerabilities identified. 

Once WPP becomes the default setting on all Windows systems, Microsoft plans to shift away from running the built-in Print Spooler service as SYSTEM. Instead, it will be launched as a restricted service, significantly reducing its access to resources and privileges. This strategic move aims to diminish the appeal of the Spooler process as a potential target for exploitation.

In addition to changing the Spooler service configuration, Microsoft will eliminate various attack vectors previously exploited by malicious actors. This includes the removal of RPC endpoints and legacy components that have been targeted in the past. WPP will also introduce binary mitigations, such as Control Flow Enforcement Technology (CFG), Child Process Creation Disabled, Redirection Guard, and Arbitrary Code Guard, making exploitation more challenging.

When WPP mode is enabled, normal spooler operations will go through a new Spooler that incorporates multiple security improvements. These include Limited/Secure Print Configuration, Module Blocking, Per-User XPS Rendering, and Better Transport Security. The goal is to provide users with the most secure default configuration while allowing flexibility to revert to legacy (driver-based) printing if compatibility issues arise.

Microsoft assures users that the implementation of WPP will not impact customers with older printers, as they can enable legacy support. Additionally, as part of a broader printer driver strategy, Microsoft announced the gradual discontinuation of third-party printer driver delivery through Windows Update. 

Starting in 2025, driver submissions from printer vendors will be blocked, with a transition to prioritizing in-house Windows IPP Class drivers by 2026. By 2027, Microsoft plans to cease distributing third-party printer driver updates via Windows Update, except for security fixes, while users can still install drivers from vendors' websites. Norman emphasized that this move away from driver-based printing enables Microsoft to make meaningful improvements to the print system, addressing modern threats more effectively.