December 16, 2023 at 11:53AM
Microsoft announced the new Windows Protected Print Mode (WPP), bolstering print system security by blocking third-party drivers, reducing resource access, removing attack vectors, and adding binary mitigations. WPP will also introduce transport security and secure print configurations. Additionally, Microsoft will cease third-party printer driver distribution via Windows Update by 2027.
The meeting notes highlight the introduction of Windows Protected Print Mode (WPP) by Microsoft, aiming to significantly enhance the security of the Windows print system. Key points include the following:
– WPP builds on the existing IPP print stack to support Mopria certified printers and eliminate the ability to load third-party drivers, thus enhancing print security.
– The Microsoft MORSE team found that WPP mitigated over half of the vulnerabilities linked to Windows Print in MSRC cases.
– WPP will bring about various security enhancements, including restricted service launch for the built-in Print Spooler, removal of attack vectors, and the implementation of binary mitigations such as Control Flow Enforcement Technology (CFG), Child Process Creation Disabled, Redirection Guard, and Arbitrary Code Guard.
– Once WPP mode is enabled, operations will be routed through a new Spooler with multiple improvements, such as limited/secure print configuration, module blocking, per-user XPS rendering, and better transport security.
– Users will have the flexibility to revert to legacy printing if their printer is not WPP-compatible, and WPP is currently in Insider builds for testing.
Additionally, Microsoft announced plans to cease third-party printer driver delivery through Windows Update over the next few years, with a gradual shift towards prioritizing in-house Windows IPP Class drivers. This includes blocking driver submissions from printer vendors starting in 2025 and eventually halting distribution of third-party printer driver updates via Windows Update in 2027.
The overall goal is to provide a more secure default configuration, while maintaining the flexibility to support legacy printing and continuing to patch older printer drivers within their Support Lifecycles.
It’s important to note that this is an early release, and many features are still in progress and subject to change based on feedback.