What Is Windows Protected Print Mode (WPP)?
Microsoft's new driverless printing model for Windows. What it does, what it affects, when it becomes the default, and what IT teams need to know before planning around it.
Windows Protected Print Mode Definition
Windows Protected Print Mode (WPP) is a Microsoft security feature, introduced in Windows 11 version 24H2 (October 2024) and Windows Server 2025, that restricts printing to a driverless, IPP-based model. When WPP is enabled, third-party print drivers are removed from the system and new driver installations are blocked. Only printers using the Microsoft IPP class driver, which communicates with Mopria-certified printers, work natively. The feature is part of Microsoft's broader effort to harden the Windows print stack against vulnerabilities like PrintNightmare.
As of mid-2026, WPP will be off by default on every Windows version that supports it. Users with local administrator rights can turn it on through Windows Settings. IT administrators can enable or block WPP through Group Policy or the Windows Registry. Microsoft has stated WPP will become the default by 2027, though no specific date has been published. The transition is gradual: WPP can be tested today, enabled on specific machines or user groups now, and rolled out broadly before the default-on date arrives.
Why Microsoft Built WPP
Print spooler vulnerabilities have been a recurring problem on Windows for years. PrintNightmare (CVE-2021-34527) was the most publicly known example, but it was one in a long series of spooler-based exploits. The root cause was consistent. Third-party print drivers run with high privilege, and the Windows print spooler had to trust every vendor's driver code to operate.
WPP closes that gap by removing third-party drivers from the print stack entirely. The decision also fits the broader direction of the Windows operating system. Less third-party code with elevated rights, more sandboxing, more verified components. Modern features like Smart App Control and the deprecation of certain legacy drivers point the same direction. WPP is the printing version of that shift.
How Windows Protected Print Mode (WPP) Works
Microsoft IPP Class Driver Only
The IPP class driver becomes the only print driver the OS will load. It's a generic driver built into Windows that supports the Internet Printing Protocol (IPP), an open standard that most modern network printers already implement.
Third-Party V3 and V4 Drivers Are Blocked
Vendor Features Run Through Print Support Apps
Communication Happens Over IPP
What WPP Doesn't Do
A few things come up repeatedly in WPP conversations that are worth clarifying because they're commonly misunderstood.
WPP is not an enterprise print management replacement. It does not provide pull printing, follow-me printing, user authentication at the device, accounting, quotas, or document tracking. Those are separate categories of capability.
WPP does not encrypt print jobs end-to-end. IPP supports IPPS (IPP over HTTPS) for transport encryption between the Windows machine and the printer, but that is transport-level protection, not full document-level encryption.
WPP does not provide centralized printer deployment. It restricts how printers can be installed locally on each Windows machine, but it doesn't provide a central management plane. Group Policy can manage WPP itself, though the older Group Policy printer deployment options (which depended on the traditional print server architecture) are affected by the WPP-related changes.
WPP does not address printer firmware vulnerabilities. The protection is at the Windows print stack layer. If a printer's firmware has a vulnerability, WPP does not change that.
What Changes When You Turn On WPP
All Non-IPP Printers Stop Working
Anything installed through a third-party V3 or V4 driver is unloaded and no longer functional. Existing print queues that depended on those drivers go silent.
New Driver Installations Are Blocked
Point-and-print is disabled. Manual installations through INF files or vendor installers fail. Group Policy cannot re-enable driver installation.
The Internet Printing Client Feature Is Removed
This is a separate Windows feature that some print solutions rely on. Disabling WPP later does not reinstall it automatically.
XPS and Built-in Fax Are Removed
Both are deprecated under WPP and uninstalled when the feature turns on.
OneNote (Desktop) Is Replaced
Standard OneNote printing is uninstalled. A new "OneNote (Desktop) Protected virtual printer" replaces it on Windows 11 26100 or higher with OneNote app version 2410 and later.
Only Mopria-Certified Printers Work Natively
Older printers and printers from manufacturers that haven't certified through Mopria don't appear as available print destinations.
Requirements and Setup of WPP
Requirements for WPP
To use WPP, an environment needs:
- A supported operating system: Windows 11 version 24H2 or later, or Windows Server 2025 or later.
- Mopria-certified printers. The Mopria Alliance maintains a public list of certified devices. Most modern printers from major manufacturers (Canon, HP, Epson, Brother, Lexmark, Ricoh, Toshiba, Xerox) include Mopria certification, though feature support varies. Older printers and many specialty devices (label printers, plotters, industrial printers) are often not Mopria-certified.
- IPP and IPPS enabled on the printer. The setting name varies by manufacturer.
- Network reachability on TCP port 631. Firewall rules must allow IPP traffic between the Windows machine and the printer. If the environment enforces encrypted printing (IPPS), port 443 must also be unblocked.
- The Microsoft IPP class driver. Installed by default with Windows. No additional driver download is required.
For vendor-specific features beyond the standard IPP set, the manufacturer must publish a Print Support App through the Microsoft Store, and the user or organization must install it.
Enabling WPP
WPP can be enabled in three ways.
Via Windows Settings: Settings → Bluetooth and Devices → Printers and scanners → scroll to Printer Preferences → Windows protected print mode → Set up. The user must have local administrator rights.
Via Group Policy: Computer Configuration → Administrative Templates → Printers → Configure Windows protected print → Edit. The Group Policy ADMX template for WPP is included in current Windows 11 and Server 2025 versions.
Via the Registry: Keys live at HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\WPP. Set the WindowsProtectedPrintModeDWORD value to 1 to enable.
A system reboot may be needed for the change to take full effect, particularly when removing existing TCP/IP print queues that don't get cleaned up on the first toggle.
Disabling WPP
WPP can be turned off through the same three paths in reverse. Disabling WPP does not undo the changes that happened when it was first enabled.
⚠️ Removed drivers do not reinstall automatically. Removed Windows features (Internet Printing Client, XPS, built-in fax) do not return on their own. Existing print queues that depended on removed drivers must be rebuilt. WPP is straightforward to turn on. Reverting cleanly is a project.
How ezeep Approaches WPP
ezeep's cloud-rendered, driverless print model aligns with where Microsoft is taking Windows. The latest ezeep App for Windows is a dedicated Windows application that allows ezeep-managed printers to be mapped on user devices even when WPP is enabled. It uses ezeep's cloud rendering, so no local drivers are required. Users keep printing to ezeep printers without disabling WPP, and the security level the IT team chose stays intact.
Dive Into the World of ezeep
What is Cloud Printing?
The fundamentals: what cloud printing is and what it replaces.
Cloud Printing Security
How removing drivers strengthens your security posture.
How Cloud Printing Works
The full architecture from device to cloud to printer.
Frequently Asked Questions
Curious about how it all works? Here's everything you wanted to know about ezeep's cloud printing solution.
Is Windows Protected Print Mode enabled by default?
No. As of mid-2026, WPP is disabled by default in all Windows versions that support it. Microsoft has indicated WPP will become the default by 2027.
Can I use any printer with WPP?
No. Only printers that are Mopria-certified and reachable via the Microsoft IPP class driver work natively. Older printers and many specialty devices (some plotters, label printers, industrial devices) are not Mopria-certified and will not appear as available printers when WPP is on. Basic printing usually works on certified models; advanced features often require a Print Support App from the manufacturer.
Can I reverse the changes WPP makes?
WPP itself can be turned off. The changes it triggered when first enabled (removed drivers, removed Windows features, deleted print queues) do not automatically reverse. Each removed component must be reinstalled or rebuilt manually.
Does WPP replace my print server?
No. WPP is a Windows endpoint security feature that changes how printing works on individual Windows machines. It is not a print management platform and doesn't provide centralized printer deployment, user controls, or reporting.
Is WPP required for compliance?
WPP is not required by any specific compliance framework today. It is one approach to reducing print stack risk. Other architectures (cloud-rendered printing, for example) address the same risk in a different way.
Does PostScript still work under WPP?
The Microsoft IPP class driver does not output PostScript. It outputs PWG Raster, PCLm, or other IPP-supported formats depending on what the printer accepts. Workflows that depended on PostScript output need to be re-evaluated.
How is WPP different from Universal Print?
WPP is a Windows OS-level security feature that restricts how local printing works on each Windows machine. Universal Print is a separate Microsoft cloud service that provides centralized printer management and IPP-based cloud printing. The two can be used together but solve different problems.
Does WPP affect Mac or Linux clients?
WPP is a Windows-specific feature. Mac and Linux clients are not directly affected. However, if Mac or Linux clients print through a Windows print server, changes to that server's print stack (driver removal, queue rebuild) will affect them indirectly.
Does WPP work with traditional print servers?
WPP changes how local Windows machines handle printer drivers. Traditional print servers that rely on shared V3 or V4 drivers are affected because the client side cannot load those drivers anymore. Some queue deployment workflows that depend on the older driver model will need to be re-architected.
Want Printing That Works Under WPP?
ezeep is free for up to 10 users. Set it up in minutes and see how cloud rendering works under any Windows configuration, including WPP.
.webp?width=1920&height=1536&name=ezeep-chart%20(1).webp)