ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Enable/Disable Windows Protected Print Mode in Intune

How to Enable/Disable Windows Protected Print Mode in Intune

Configure Windows Protected Print Mode via Microsoft Intune to restrict printing to Mopria-certified devices, enhancing enterprise security while managing operational impacts across your Windows fleet.

Evan MaelEvan Mael
March 26, 2026 15 min
mediumintune 9 steps 15 min

What is Windows Protected Print Mode and Why Enable It?

Windows Protected Print Mode (WPP) represents a significant security enhancement for enterprise printing environments. Introduced in Windows 11 version 24H2 and Windows Server 2025, WPP restricts printing operations to devices that meet Mopria Alliance certification standards. This approach eliminates the security risks associated with legacy printer drivers while maintaining compatibility with modern, secure printing devices.

How Does Windows Protected Print Mode Enhance Security?

Traditional printer drivers often run with elevated system privileges and can introduce vulnerabilities through outdated code, inadequate security controls, or malicious modifications. WPP addresses these concerns by removing non-certified printer drivers from the system entirely. When enabled, only Mopria-certified printers can function, as these devices use standardized, secure communication protocols that don't require traditional driver installations.

What Are the Operational Implications of Implementing WPP?

While WPP significantly improves security posture, it requires careful planning and execution. Organizations must inventory their current printer infrastructure to identify Mopria-certified devices and plan for the replacement or exclusion of legacy equipment. The transition affects not only physical printers but also virtual printing services like XPS Document Writer and Windows Fax, which are removed when WPP is activated. This tutorial provides the technical steps to implement WPP through Microsoft Intune while addressing these operational considerations through proper testing and rollback procedures.

Implementation Guide

Full Procedure

01

Access Microsoft Intune Admin Center and Create New Policy

Start by logging into the Microsoft Intune admin center to create your Windows Protected Print Mode policy. This centralized console manages all device configurations across your organization.

Open your web browser and navigate to the Intune admin center:

https://endpoint.microsoft.com/

Once logged in, navigate to Devices > Configuration > Create > New policy. Select Platform: Windows 10 and later and Profile type: Templates > Custom.

Pro tip: Bookmark the Intune admin center URL for quick access. The interface loads faster than navigating through the Microsoft 365 admin center.

Verification: You should see the "Create a profile" wizard with Windows 10 and later selected as the platform and Custom as the profile type.

02

Configure Basic Policy Information

Set up the foundational details for your Windows Protected Print Mode policy. Clear naming conventions help administrators understand the policy's purpose and scope.

In the Basics tab, configure these fields:

  • Name: Windows Protected Print Mode - Enable (or "Disable" if creating a disable policy)
  • Description: Enables Windows Protected Print Mode to restrict printing to Mopria-certified devices for enhanced security
  • Platform: Windows 10 and later (already selected)
  • Profile type: Custom (already selected)

Click Next to proceed to the configuration settings.

Warning: Use descriptive names that indicate whether the policy enables or disables WPP. You'll likely need both policies for different device groups.

Verification: The policy name appears in the breadcrumb navigation at the top of the page, confirming your entries were saved.

03

Add OMA-URI Configuration Settings

Configure the core OMA-URI setting that controls Windows Protected Print Mode. This method provides precise control over the WPP functionality.

In the Configuration settings tab, click Add to create a new OMA-URI setting:

  • Name: Configure Windows Protected Print
  • Description: Controls Windows Protected Print Mode state
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureWindowsProtectedPrint
  • Data type: String
  • Value: <enabled/> (to enable WPP) or <disabled/> (to disable WPP)

The OMA-URI path is case-sensitive and must be entered exactly as shown. This setting leverages the Windows Configuration Service Provider (CSP) for printer policies.

Pro tip: Create two separate policies - one for enabling and one for disabling WPP. This allows you to quickly switch between states for different device groups during testing.

Verification: The OMA-URI setting appears in the configuration list with a green checkmark indicating valid syntax.

04

Configure Policy Assignments and Scope

Assign the policy to specific device groups while considering the operational impact of Windows Protected Print Mode on your environment.

In the Assignments tab:

  1. Click Add groups under Included groups
  2. Select your target groups (start with a pilot group of 10-20 devices)
  3. Consider excluding groups with legacy printers under Excluded groups
  4. Review the assignment summary

Example assignment strategy:

Included groups:
- IT-Pilot-Devices
- Executive-Laptops
- Conference-Room-PCs

Excluded groups:
- Manufacturing-Workstations
- Legacy-Printer-Users
- Critical-Production-Systems
Warning: Enabling WPP will immediately remove non-Mopria printer drivers from assigned devices. Test with a small pilot group first to identify affected printers and users.

Verification: The assignment summary shows the estimated number of devices that will receive this policy.

05

Review and Deploy the Policy

Complete the policy creation process and monitor the initial deployment to ensure successful application across your target devices.

In the Review + create tab:

  1. Review all configuration details
  2. Verify the OMA-URI path and value are correct
  3. Confirm assignment groups are appropriate
  4. Click Create to deploy the policy

After creation, monitor the deployment status:

  1. Navigate to Devices > Monitor > Device configuration
  2. Find your Windows Protected Print Mode policy
  3. Check the Device status and User status tabs

Policy application typically occurs within 8 hours for standard check-ins, or immediately if you trigger a manual sync.

Pro tip: Use the "Sync" option in the Intune Company Portal app or run Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask in PowerShell to force immediate policy refresh.

Verification: Policy status shows "Succeeded" for target devices, and the deployment percentage reaches 100% for your pilot group.

06

Verify Windows Protected Print Mode Activation on Devices

Confirm that Windows Protected Print Mode is properly configured on target devices using both registry checks and user interface verification.

On a target device, open PowerShell as Administrator and run:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "EnableWindowsProtectedPrintMode"

Expected output for enabled WPP:

EnableWindowsProtectedPrintMode : 1
PSPath                         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers
PSParentPath                   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
PSChildName                    : Printers
PSDrive                        : HKLM
PSProvider                     : Microsoft.PowerShell.Core\Registry

Also verify through the Windows Settings interface:

  1. Open Settings > Bluetooth & devices > Printers & scanners
  2. Click Printer preferences
  3. Look for Windows protected print setting (should be grayed out/enforced)
Warning: When WPP is enabled, non-Mopria printers will be automatically removed from the system. Document affected printers before deployment and have a rollback plan ready.

Verification: Registry value shows 1 for enabled or 0 for disabled, and the Settings UI reflects the enforced state.

07

Test Printing Functionality and Document Impact

Validate that Mopria-certified printers continue to function while non-certified devices are properly restricted or removed.

Perform these tests on devices with WPP enabled:

  1. Test Mopria-certified printers: Print a test page to confirm functionality
  2. Check removed printers: Verify non-Mopria printers no longer appear in the printer list
  3. Test print queue: Ensure print jobs process normally for certified devices
  4. Verify XPS/Fax impact: Check if Microsoft XPS Document Writer or Windows Fax were removed

Use this PowerShell command to list current printers:

Get-Printer | Select-Object Name, DriverName, PortName | Format-Table -AutoSize

Document the results in a testing matrix:

Printer Name          | Mopria Certified | Status After WPP
---------------------|------------------|------------------
HP LaserJet Pro M404 | Yes              | Working
Canon PIXMA TR8620   | Yes              | Working
Old Epson Dot Matrix | No               | Removed
XPS Document Writer  | N/A              | Removed
Pro tip: Create a comprehensive printer inventory before deployment. Use tools like wmic printer list full to capture detailed printer information for rollback purposes.

Verification: Only Mopria-certified printers remain functional, and users can successfully print to approved devices without security warnings.

08

Create Disable Policy for Rollback Scenarios

Prepare a disable policy to quickly rollback Windows Protected Print Mode if issues arise or when legacy printer support is temporarily needed.

Follow the same process as the enable policy, but with these key differences:

  1. Name: Windows Protected Print Mode - Disable
  2. Description: Disables Windows Protected Print Mode to restore legacy printer compatibility
  3. OMA-URI Value: <disabled/>

Assign the disable policy to a separate group initially (don't overlap with the enable policy assignments):

Disable Policy Assignment:
- WPP-Rollback-Group (empty initially)
- Legacy-Printer-Required-Users
- Emergency-Disable-Devices

To perform a rollback:

  1. Move affected devices from the enable policy group to the disable policy group
  2. Wait for policy application (or force sync)
  3. Reinstall required legacy printer drivers
  4. Re-enable XPS/Fax if needed via Optional Features
Warning: Disabling WPP doesn't automatically reinstall previously removed printer drivers. You'll need to manually reinstall legacy drivers, which reintroduces the security risks WPP was designed to mitigate.

Verification: After applying the disable policy, the registry value changes to 0, and the Settings UI shows Windows protected print as available for user control.

09

Monitor and Maintain Windows Protected Print Mode Policies

Establish ongoing monitoring and maintenance procedures to ensure Windows Protected Print Mode continues to meet your security and operational requirements.

Set up regular monitoring tasks:

  1. Policy Compliance: Check Intune reports weekly for policy application failures
  2. Printer Inventory: Maintain updated lists of Mopria-certified devices
  3. User Support: Monitor help desk tickets related to printing issues
  4. Security Events: Review Event Viewer logs for WPP-related entries

Use this PowerShell script to generate a compliance report:

# Check WPP status across domain computers
$computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
$results = @()

foreach ($computer in $computers) {
    try {
        $wppStatus = Invoke-Command -ComputerName $computer -ScriptBlock {
            Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "EnableWindowsProtectedPrintMode" -ErrorAction SilentlyContinue
        }
        $results += [PSCustomObject]@{
            Computer = $computer
            WPPEnabled = if ($wppStatus) { $wppStatus.EnableWindowsProtectedPrintMode } else { "Not Configured" }
            Status = "Online"
        }
    } catch {
        $results += [PSCustomObject]@{
            Computer = $computer
            WPPEnabled = "Error"
            Status = "Offline"
        }
    }
}

$results | Export-Csv -Path "WPP-Compliance-Report.csv" -NoTypeInformation
Pro tip: Schedule monthly reviews of your printer inventory and Mopria certification status. New printer models may gain certification, allowing you to expand WPP coverage.

Verification: Regular compliance reports show consistent WPP application across your fleet, and user satisfaction remains high with approved printing devices.

Frequently Asked Questions

What happens to existing printers when Windows Protected Print Mode is enabled?+
When WPP is enabled, all non-Mopria certified printer drivers are automatically removed from the system. This includes legacy printers, some network printers, and virtual printers like Microsoft XPS Document Writer and Windows Fax. Only printers that meet Mopria Alliance certification standards will continue to function. Organizations should inventory their printers before deployment to identify which devices will be affected and plan accordingly for replacement or policy exclusions.
Can I use Settings Catalog instead of Custom OMA-URI for Windows Protected Print Mode?+
Yes, Microsoft has added ADMX-backed settings for Windows Protected Print Mode in the Intune Settings Catalog. You can find it under Administrative Templates > Printers > Configure Windows protected print. However, the Custom OMA-URI method provides more precise control and is recommended for production deployments. The Settings Catalog option may not be immediately available in all tenants, so the OMA-URI approach serves as a reliable fallback method.
How do I identify which printers in my environment are Mopria certified?+
Check the Mopria Alliance website for certified device listings, or look for Mopria certification logos on printer specifications. Most modern network printers from major manufacturers (HP, Canon, Epson, Brother) released after 2020 support Mopria standards. You can also test by enabling WPP on a pilot device and seeing which printers remain functional. Create an inventory spreadsheet with printer models, certification status, and business criticality before rolling out WPP policies.
What should I do if Windows Protected Print Mode breaks critical business printing?+
Immediately deploy the disable policy to affected devices by moving them from the enable policy group to the disable policy group in Intune. This will restore the previous printing functionality within the next policy refresh cycle (typically 8 hours, or immediately with manual sync). After disabling WPP, you'll need to manually reinstall any required legacy printer drivers that were removed. Consider creating device groups that exclude critical systems from WPP policies until Mopria-certified alternatives are available.
Does Windows Protected Print Mode affect printing performance or functionality?+
WPP typically improves printing performance and reliability because Mopria-certified devices use standardized communication protocols that are more efficient than legacy drivers. However, some advanced printer features specific to manufacturer drivers may not be available through Mopria standards. Basic printing, scanning, and common features work normally. The security benefits of removing potentially vulnerable legacy drivers generally outweigh any minor feature limitations, especially in enterprise environments where standardized printing workflows are preferred.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#intune#windows-security#enterprise-printing

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy HP Support Assistant Using Microsoft Intune
tutorial
DevOps

How to Deploy HP Support Assistant Using Microsoft Intune

Deep Dive
How to Deploy Slack with Microsoft Intune [4 Different Methods]
tutorial
DevOps

How to Deploy Slack with Microsoft Intune [4 Different Methods]

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account