Microsoft is increasing focus on the Windows Printing Platform (WPP), which prioritizes enhanced security and eliminates reliance on third-party drivers. WPP represents the future of printing on Windows OS, leveraging IPP and requiring a Mopria-certified printer. At present, customers can enable WPP voluntarily, but Microsoft is anticipated to make it mandatory for all users in the future. For details refer to:
https://learn.microsoft.com/en-us/windows-hardware/drivers/print/windows-protected-print-mode
In alignment with Microsoft’s direction, Y Soft is actively expanding support for WPP across its product portfolio:
-
YSoft SafeQ 6 fully supports WPP through the Mobile Integration Gateway (MIG). In this setup, server-based spooling is utilized.
-
Support for both server and client spooling in YSoft SafeQ Client V3 is planned for a future release (feature reference: SQC-8518).
-
Support for FlexiSpooler (FSP) is being evaluated for feasibility.
Integration details
This part describes how various YSoft SafeQ configurations work in combination with WPP.
Generic information
-
To add or print via an IPP(s)/HTTP(s) printer, the workstation must trust the IPPS server's certificate, or the Certificate Authority (CA) that signed it.
-
Printer setup will fail if:
-
The server is unreachable, or
-
The certificate is not trusted by the workstation.
-
-
Windows Printing Platform (WPP) is available starting from Windows 11 version 24H2.
How WPP changes printer deployment
When WPP is enabled
-
You can add printers using:
-
PowerShell:
Add-Printer -
Control Panel: "Add a printer using IP address or hostname" (Device type: IPP Device)
-
-
You can’t add printers via:
-
Command line: rundll32
-
Control Panel: "Select a shared printer by name"
-
Enabling the "Internet Printing Client" Windows feature has no effect - adding printer fails, and no network attempt to contact remote server is made as OS blocks the method internally.
-
When WPP is disabled
-
You can add printers using any method listed above.
Add-Printer vs rundll32
-
Add-Printer
-
Example:
Add-Printer -IppURL https://<fqdn_or_ip>:<port>/ipp/print -
It creates printer with WSD port and "Microsoft IPP Class Driver”.
-
Only secure IPPS printing is supported (not plain IPP).
-
Printing options: Duplex, Color mode, few others but no finishing options (Microsoft may expand feature set later).
-
IPP credentials can’t be pre-set - user enters them when printing.
-
Port network address format differences
-
Windows 11 21H2: https://<fqdn_or_ip>:<port>/ipp/print
-
Windows 11 24H2: <fqdn_or_ip>
-
-
-
rundll32
-
Example:
RUNDLL32 PRINTUI.DLL,PrintUIEntry /b "MyPrinter" /n "MyPrinter" /if /f "" /r "http://<fqdn_or_ip>:<port>/ipp/print" /m "MS Publisher Color Printer" /u /z -
It creates printer with IPP port and user chosen v3 or v4 print driver.
-
Windows feature “Internet Printing Client" is required to be enabled.
-
Print through IPPS and plain IPP is supported.
-
Printing options depend on the driver used, i.e. “Microsoft IPP Class Driver” offers very limited settings without color mode and duplex.
-
IPP credentials can be pre-set in the IPP port settings.
-
Tests with MIG acting as IPP server
1/ Configuration scenario 1
MIG\bin\MigService.exe.config
<add key="use-ipps" value="T" />
<add key="allow-public-user" value="F" />
WPP on (Win11 24H2): Print via WSD port works, user has to fill in YSoft SafeQ credentials in Windows pop-up, job assigned to those credentials.
WPP off (Win11 21H2): Print via WSD port fails, no pop-up for credentials is shown, in printer properties it is not possible to define IPP user credentials.
WPP off (Win11 21H2): Print via IPP port (rundll32) works. But it is necessary to edit the IPP port and fill in YSoft SafeQ username and password manually (option "Use the specified user account"), otherwise the job will not be accepted no matter if the Windows account exists in YSoft SafeQ or not. The job owner is YSoft SafeQ user whose credentials were defined for IPP port on workstation.
2/ Configuration scenario 2
MIG\bin\MigService.exe.config
<add key="use-ipps" value="T" />
<add key="allow-public-user" value="T" />
WPP on (Win11 24H2): Print via WSD port works, job owner is the MS Windows username that initiated print.
WPP off (Win11 21H2): Print via WSD port works, job owner is the MS Windows username that initiated print.
WPP off (Win11 21H2): Print via IPP port (rundll32) works, job owner is the MS Windows username that initiated print on workstation.
3/ Configuration scenario 3
MIG\bin\MigService.exe.config
<add key="use-ipps" value="F" />
<add key="allow-public-user" value="T" />
WPP on (Win11 24H2): Print via WSD port fails, printing without TLS seems impossible with this port type.
WPP off (Win11 21H2): Print via WSD port fails, printing without TLS seems impossible with this port type.
WPP off (Win11 21H2): Print via IPP port (rundll32) works, job owner is the MS Windows username that initiated print on workstation.
Tests with V3 spooler in server mode acting as IPP server
1/ Configuration scenario 1
<Spooler>\versions\latest\configuration\local.json
"JobReceivingOptions": {
"IppReceivingEnabled": true,
"UseIpps": true
WPP on (Win11 24H2): Adding WSD port fails with "The specified WSD or IPP print device was not found" (missing feature SQC-8518).
WPP off (Win11 21H2): Adding WSD port fails with "The specified WSD or IPP print device was not found" (missing feature SQC-8518).
WPP off (Win11 21H2): Print via IPP port (rundll32) works, job owner is the MS Windows username that initiated print on workstation. However specifying YSoft SafeQ username and password (or even invalid credentials) in IPP port settings has no effect whatsoever, job always assigned to MS Windows username that initiated print (missing implementation SQC-8510; in other words V3 spooler in IPP mode ignores IPP authentication and acts in a similar manner as MIG with "allow-public-user" value="T").