Microsoft is introducing a new XPS based printing system to eliminate print drivers and the associated vulnerabilities.
Since the early days of Windows, Microsoft have allowed the easy silent distribution and installation of print drivers written by printer hardware manufacturers and others. To do this very powerful system level permissions are inherently granted to the Windows Printing subsystem, the Windows Print Spooler, which eventually led to these being exploited by bad actors, most famously with the “PrintNightMare” attack.
In response, Microsoft have gone beyond patching and are introducing “Windows Protected Printing”, to offer a print driver free printing system, built around generic embedded Type 4 class drivers. This will provide a secure environment in the sense it will remove the ability to install a custom written Print driver, and the associated potential for exploitation.
This will of course take time to become common, and is optional for the foreseeable future, but at present.
- Switching on the option, is a one way trip, being irreversible.
- Hardware manufacturers will need time to respond
- Legacy hardware may not support the new print system, and if they don’t, probably never will.
- Printing is going to be based on type 4 XPS drivers only.
- Type 3 drivers will not work. meaning older printers may no longer be usable.
- Printer functionality may become more limited, depending upon hardware manufacturer support.
- Formate eVo print output is already XPS based, but virtual printers are unlikely to work.
- Some Legacy ERP systems may be unable to print to Windows shared printer anymore.
- Sending directly, “code” such as ZPL to a thermal printer via a driver may be impossible.
Please speak to us before switching on Windows Protected Printing on a server hosting eVo,
As we will see our understanding evolve over the coming 12-24 months, the above should be viewed as simply our initial view, and may not be 100% accurate, and is intended to only raise awareness and prompt consideration at this point, not be definitive.