News

Microsoft Claims Universal Print Compatible with Zero-Trust Network Security

• By Kurt Mackie
• 10/21/2021

Microsoft claimed this week that its Universal Print service is part of its "zero-trust" vision for networks.

The idea behind that claim is that Azure Active Directory is used to validate printers managed under the Universal Print service. Moreover, communications happen via Transport Layer Security (TLS) 1.2 connections, protecting against snooping. Finally, the client apps used can't extend their permission scopes, so no added permissions can be requested should the apps get breached.

The zero-trust claims for the Universal Print service appear to be new marketing information. Previously, Microsoft just stressed Universal Print's management perks for IT pros, such as not having to maintain print servers or update printer drivers. Universal Print is based on the Internet Print Protocol (IPP) standard from the Printer Working Group, which means that no device-specific print drivers need to be installed, updated or maintained when using the service.

Microsoft commercially released its Universal Print service back in March. At that time, the company explained that IT pros would be responsible for overseeing print limits, buying add-on packs of 500 print jobs each to address the print demand. These packs expire each month, and print jobs don't carry over. End users are limited to five print jobs per month. Besides those nuances and the costs of buying add-on packs each month, the Universal Print service is said to be "free" for organizations that have E3 or E5 licensing in place.

The best Universal Print experience is said to occur when using new Universal Print-qualified printers. A list of printer partners supporting Universal Print can be found in this Microsoft document.  

It's possible to use the Universal Print service with older printer, though. For older printers, Microsoft offers its Windows Universal Print Connector software as an alternative solution. Microsoft's Wednesday announcement, though, explained that organizations using this connector on a host machine still have to ensure that the latest print drivers are installed.

Here's Microsoft's note to that effect:

Note: Universal Print connector requires appropriate printer drivers to be installed on the host PC. Make sure the printer drivers used are from a trusted source, such as directly from the printer manufacturer or use Windows Update to install drivers.

Of course, one big reason to use the Universal Print service is to avoid having to install and maintain print drivers, so using the connector seems to involve taking a backward step in that respect.

Microsoft's zero-trust argument for Universal Print is a new one. The unspoken context of "PrintNightmare" wasn't mentioned in the announcement, though. Possibly, PrintNightmare issues aren't a problem for Universal Print users, since client rights are constrained.

PrintNightmare is the name for a bunch of vulnerabilities associated with Microsoft's old Point and Print Windows functionality. Point and Print is designed to make it easier for end users to discover and add printers, but it hasn't stood the test of time in terms of security.

Microsoft has been issuing patches for PrintNightmare attack variants every month since July, but the patches and workarounds have been problematic for organizations. Various Born's Tech and Windows World articles, like this one, have tried to keep up with all of the nuances.