The 24H2 Update will include Windows Protected Print (WPP). If you have a compatible printer or no printer at all, I really encourage those who care about security to enable the feature. Enabling WPP switches users to the new print stack which kills a LOT of attack surface in Windows. It is one of the largest reductions of overall attack surface in Windows that I can recall. Moreover, it disables all 3rd party drivers. In the next month or two, the Restricted Worker update will also be applied which will remove SYSTEM privileges. We wanted to land it with the release, but we had a small last minute bug to address.
You can find me previous blog on the topic here -> https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645
Docs here: https://learn.microsoft.com/en-us/windows-hardware/drivers/print/modern-print-platform
This will be the default in future versions of Windows
@spoofy
> Moreover, it disables all 3rd party drivers
how does that work?
Are there printer-specific drivers included with Windows that are considered first-party?
Or are all printers now required to use some standardized communication protocol, so that no model-specific driver is necessary?
@wolf480pl @spoofy IPP is that standard. Been defacto standard for print on Linux for a decade or so
Not sure what Mac does
@wolf480pl @falken @spoofy Yes, there's an IPP over USB standard.
I've never found a good description of exactly what's in the Mopria standard from anyone involved in it, but OpenPrinting lists two bitmap formats plus PDF as what's required from compatible printers: https://openprinting.github.io/driverless/01-standards-and-their-pdls/
@falken @wolf480pl @spoofy macOS uses CUPS as well; the Linux version is a fork of it. The proprietary Mopria standard Windows is using just specifies exactly what subset of IPP options and print data needs to be supported.