Windows Protected Print (WPP): What Enterprise IT Should Do Before Microsoft's Deadlines Hit

Windows Protected Print (WPP) is a security mode in Windows 11 and Windows Server 2025 that blocks third-party printer drivers from loading on the endpoint and routes all printing through Microsoft's IPP Class Driver. It requires Mopria-certified printers, or an IPP-capable path, for printers to keep working. Administrators enable it through Group Policy or an Intune profile.

WPP itself is admin-controlled and has no forced activation date, but Microsoft's driver-servicing plan runs on three deadlines. As of January 15, 2026, no new third-party drivers reach Windows Update for Windows 11 and Server 2025. On July 1, 2026, Windows prefers the IPP Class Driver. On July 1, 2027, third-party drivers receive security patches only.

Yes. A cloud print platform keeps the driver on a remote rendering node, so the Windows endpoint sends a driver-agnostic job and needs no third-party driver locally. That removes the dependency WPP blocks, which makes the endpoint WPP-compatible even when the printer is not Mopria-certified. ezeep renders jobs this way and documents WPP compatibility on that basis.

No. WPP is admin-controlled and is configured through Group Policy or Intune. Microsoft has not announced a date when WPP will become the default mode on endpoints. What is on a forced timeline is the driver servicing roadmap: no new third-party drivers via Windows Update after January 15, 2026; Windows preferring the IPP Class Driver on July 1, 2026; no further third-party driver updates except security patches after July 1, 2027.

WPP doesn't change what those regimes require, but it changes the architecture that has to be assessed against them. Removing third-party drivers reduces elevated-privilege software on the endpoint, which simplifies endpoint hardening evidence. The audit path also changes from "client to server queue to printer" to "client to IPP endpoint to printer," which needs end-to-end logging review before WPP is enabled in regulated environments. Whether that's net positive depends on the platform vendor and the data classification involved.

WPP addresses several zero trust violations in the traditional Windows print path. Shared print servers behave as implicit-trust hubs. Third-party drivers run with elevated privileges. The Spooler service accepts inbound RPC connections. WPP replaces these with encrypted IPP over HTTPS, the IPP Class Driver, and the removal of local print servers from the attack surface. For US federal, CMMC-bound, and NIST CSF or 800-53 baseline environments, this is the architectural argument for moving sooner rather than later.

A Windows print server can't transparently bridge WPP clients to legacy non-IPP printers. The server runs the same third-party drivers WPP is removing from clients. If the server only exposes a traditional RPC or SMB share, WPP clients can't connect at all. Architectures that work pass jobs through an IPP path or through cloud rendering, not a shared server still dependent on V3 or V4 drivers underneath. Most enterprises end up consolidating or eliminating print servers as part of the WPP transition.