Microsoft eyes improved printer security in sweeping update
Windows Protected Print Mode removes the need for third-party drivers and introduces a number of security enhancements


Microsoft has moved to make printing more secure with a new Windows Protected Print Mode (WPP) in what the company said is one of the biggest changes to the Windows Print stack in more than 20 years.
The move comes amid a period of continued threats to printers, with a recent report from Sharp revealing that printer-related security risks are still rife and that nearly one-fifth of firms have experienced a printer-related security breach.
The Windows print system has long been a target for attackers, as the Spooler requires high privileges and must load code from the network. Print bugs have been implicated in Stuxnet and Print Nightmare, and account for 9% of all Windows cases reported to MSRC, the firm said.
There's also an issue with driver compatibility, with some print drivers now incompatible with newer security mitigations, such as Control Flow Guard (CFG), Control Flow Enforcement Technology (CET), Arbitrary Code Guard (ACG), and others.
Microsoft has attempted to improve matters by encouraging users to switch to Internet Printing Protocol (IPP), when possible, and by recently ending servicing for the legacy v3 and v4 Windows printer drivers.
Windows Protected Print Mode: New improvements
Microsoft said WPP takes things further by blocking all third-party drivers altogether, while adding in a range of new security protections.
After analyzing past MSRC cases for Windows Print, it found that WPP mitigated over half of those vulnerabilities.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"Moving away from driver-based printing offers many benefits to users and allows Microsoft to make many meaningful improvements to our print system," said Microsoft security engineer Johnathan Norman.
"The existing driver-based system, established decades ago, depends on many third parties and Microsoft all playing their role, which has proven to be too slow for modern threats."
With WPP, privileges for the Print Spooler service have been restricted to decrease the attack surface, with a new Spooler Worker process having a restricted token that removes many privileges such as SeTcbPrivilege and SeAssignPrimaryTokenPrivilege, and no longer running at SYSTEM IL.
While it does retain SeImpersonatePrivilege, Norman said the company plans to remove this when it can.
RELATED RESOURCE
Learn how to distinguish the difference between fact and fiction when it comes to preventing file-based threats
Control Flow Enforcement Technology hardware-based mitigation should help to mitigate Return Oriented Programming (ROP) based attacks, while child process creation will be blocked, preventing attackers from spawning a new process if they manage to get code execution in the Spooler.
Redirection Guard prevents many common path redirection attacks which often target the Print Spooler, while Arbitrary Code Guard prevents dynamic code generation within a process.
Point and Print will be prevented from installing third-party drivers, and WPP will make it clear to users when their traffic is encrypted and, when possible, encourage users to enable encryption.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Intune flaw pushed Windows 11 upgrades on blocked devices
News Microsoft is working on a solution after Intune upgraded devices contrary to policies
By Nicole Kobie
-
Dragging your feet on Windows 11 migration? Rising infostealer threats might change that
News With the clock ticking down to the Windows 10 end of life deadline in October, organizations are dragging their feet on Windows 11 migration – and leaving their devices vulnerable as a result.
By Emma Woollacott
-
Recall arrives for Intel and AMD devices after months of controversy
News Microsoft's Recall feature is now available in preview for customers using AMD and Intel devices.
By Nicole Kobie
-
With one year to go until Windows 10 end of life, here’s what businesses should do to prepare
News IT teams need to migrate soon or risk a plethora of security and sustainability issues
By George Fitzmaurice
-
Microsoft is doubling down on Widows Recall, adding new security and privacy features – will this help woo hesitant enterprise users?
News The controversial AI-powered snapshotting tool can be uninstalled, Microsoft says
By Nicole Kobie
-
Microsoft pulls Windows update after botched patch causes blue screens, reboot loops
News Microsoft has pulled a Windows 11 update ahead of next week's Patch Tuesday after encountering a raft of issues
By Nicole Kobie
-
Microsoft patches rollback flaw in Windows 10
News Patch Tuesday includes protection for a Windows 10 "downgrade" style attack after first being spotted in August
By Nicole Kobie
-
It looks like we’re stuck with Windows Recall: Microsoft confirms option to uninstall was just a ‘bug’
News The controversial feature can be disabled, but Microsoft isn't saying much else
By Nicole Kobie