Windows Protected Print Mode

Microsoft recently unveiled its goal to modernize the Windows print system, marking, as Microsoft itself calls it, one of the largest changes to the Windows Print stack in more than 20 years.

The aim is to create a more secure and user-focused printing experience while maintaining broad compatibility. This new platform is called Windows Protected Print Mode (WPP), reflecting Microsoft's belief that users should benefit from Secure-by-Default settings. As a result, WPP will eventually be enabled by default in Windows. In line with these changes, Microsoft also announced plans to phase out support for third-party print drivers in Windows. Microsoft encourages organizations, vendors of printing devices, and software developers to switch to IPP-based printing.

Microsoft was motivated to make such substantial changes because of security and compatibility. You can read about Microsoft’s point of view in their announcement A new, modern, and secure print experience from Windows.

Microsoft announced that the public release of an update 22H2 containing Protected print mode would arrive in September or October 2024.

About WPP

The Protected print mode will most likely be configurable in the system’s Settings > Bluetooth & devices >Printers & scanners, registry, and Group Policy (Computer Configuration > Administrative Templates > Printers, option Configure Windows protected print).

What Happens When Protected Print is Enabled

Once enabled, non-IPP print drivers and standard TCP/IP ports are removed after restarting the device. This operation is irreversible; the old printers are not recreated if you later disable WPP again. Only IPPS ports and IPPS drivers are preserved.

When enabled from the system’s settings, a warning is displayed to show the impact of this change.

Also, the options you have when adding a new printer change. IPP becomes the only device type available and standard print drivers cannot be installed on the system anymore.

The information above and the screenshots are based on the Windows 11 Canary Preview. The final implementation by Microsoft may differ.

Impact on MyQ X

MyQ IPPS Queues

IPPS printers pointing at queues on the MyQ X Print Server are preserved in the Protected mode, and they function as before.

Impact of Using IPP for Printing

Regarding print job submission to MyQ X, advanced print release options, such as finishing settings, tray selections, and more, may not be available when printing with IPPS. See the deployment guide for IPPS and details on IPPS support and configuration.

IPPS is already widely supported by printing devices. In MyQ X's queue settings, IPPS is available as the output protocol for job release to devices.

More features can be impacted, for example, Device Spooling, which is only supported using RAW.

MyQ Desktop Client’s Printer Provisioning

MDC 10.2 can provision IPPS printers and ports when the built-in IPPS driver is selected in the Printer provisioning settings. MDC transmits jobs to the MyQ Print Server over IPPS, compared to older clients printing over LPRS (secure LPR), and thus can operate in WPP-enabled environments as it does not need LPR ports.

If standard print drivers are selected to be installed on a system with WPP on, the system will block the configuration of those printers. Nor the printer or port are created. This invokes the Configuring printers failed error in the Desktop Client.

In Windows Event Viewer, the issue with creating printers is logged as:

Creating printer failed | Name=Pull Printing | Error=This program is blocked by group policy. For more information, contact your system administrator. | Payload={"Name":"Pull Printing","PortInfo":{"Name":"DC_PORT_Pull_Printing","Queue":"Default","Address":"127.0.0.1","PortType":"Lpr","Port":515},"PrinterDriverInfo":{"Model":"HP Smart Universal Printing (v3.06.2)","Version":"3.6.2.2503","InfFile":null,"PrinterConfiguration":{"Name":"HP Print Default","File":null,"Hash":{"Hash":"605c14358d0fe807c051229555001b1cd056dc345b87ee5d41967ffa2462906b","AlgorithmName":"sha256"}},"Hash":{"Hash":"312d150b98d08732d957a81475d45cc4f6aaa10a8388b1d5302c91c313fc51e2","AlgorithmName":"sha256"},"Platform":"win-arm64"}}

Recommendations Before Enabling WPP

• As part of the transition to the Windows-protected print mode, deploy IPPS queues beforehand so that users can access replacement printing methods (IPP) once WPP is enabled.

• If you utilize the Desktop Client’s Printer provisioning, remove all non-IPPS drivers and print driver profiles, or at least unassign them from queues they were supposed to be installed, before enabling WPP.

• In Central-Site environments, pay attention to users that travel between different site servers. MDC will attempt to install standard print drivers and TCP/IP ports upon reconnecting to another server where they might be still present.

Users will see the pop-up “Configuring printers failed” regularly (on every attempt of the MDC to install those drivers) if WPP is enabled while standard print drivers are configured for Printer provisioning for their device.

• With Printer provisioning together with the recent MyQ X 10.2 patches, you can also disable the provisioning of print drivers for particular groups of devices (in an MDC configuration profile). You can use this temporarily during the transition period.

Future Steps

Since the announced changes in the Windows print system will eventually have a large impact on the industry, we need to follow upcoming changes coming from Microsoft and individual vendors.

We can expect software updates and a gradual shift towards Microsoft’s modernized print system, such as Microsoft's IPP inbox class driver and Print Support Apps (PSA). Read more about the modern Windows print stack in the Print support app design guide.

Similarly, MyQ X’s support for IPPS print release options will be expanded to offer the best alternatives to the standard print drivers and their options.

This article will be updated as more information from Microsoft and manufacturers becomes available.