At 8:03 a. m. two weeks after we completed our full Microsoft 365 cutover, the helpdesk phone began to ring and it did not cease, basically. The Dallas accounting was unable to print customer invoices. The Ohio warehouse had no way of printing shipping labels. The home based sales team in Florida was unable to print contracts. All the other migration had just worked fine – Teams, one drive, exchange online, Intune, everything – but printing just died to everyone who was not in the corporate office.
And chances are that you are an IT administrator or business owner in the US and you have had this very nightmare. It is always written in small font, but once you switch completely to the cloud with Azure AD (nowadays called Entra ID) and PCs controlled by Intune, your old on-premise print server will be unavailable to all the remote workers or hybrid workers. The solution that most consultants are promoting is Universal print or third party cloud- prints which are priced at $4-15 per user per month. We tried the demos. The drivers were a shambles, the roll out took months and the monthly payment was going to be five figures. There had to be a better way.
Why Printing Silently Breaks After a Microsoft 365 Migration
Back in the olden days, your laptop would connect to the Wi-Fi network in the office, it would see the Windows print server at 192.168.10.50 and everything just would work. Once you have migrated to Microsoft 365 and devices joined to your Azure AD you can use the same laptop at home or in a hotel and connect directly to the internet and authenticate to the cloud of Microsoft. The corporate firewall now sits in front of your local printers and print server having no public IP address and no means of reaching the remote laptop. Direct IP printing is not working, the shared printers are not found and people have begun to email PDFs to the single individual left in the office who can print. Chaos.
Weeks were spent on the familiar suspects: the compulsory use of Direct IP over port 9100, messing with Hybrid Azure AD Join (which Microsoft is phase out of anyway), and experimenting with Universal Print in a pilot group. There was nothing fast, cheap or reliable.
The 2025 Fix Microsoft Doesn’t Advertise: A Modern VPN Gateway
The answer that no one on Reddit or in the Microsoft forums is fond of to say is still fully functional in 2025 is to put the remote computers back on the corporate network and use a proper VPN gateway. The printers have suddenly re-emerged on the screen right after the tunnel is up, just like they were before the migration of the cloud, without any new drivers, no per-user licenses, no monthly print-tax.
A properly set up VPN gateway establishes a secure tunnel between all the devices that are part of the Azure AD or Intune directly directly to your headquarters or data center. As soon as the user logs in (or even before logging in with Always-On), Windows is confronted with the identical print server and printers that it was five years ago. Snowstorm – Accounting checks are printed at home. The warehouse employees can print UPS labels within two seconds. Life goes back to normal.
My Exact Setup That Costs $8–$12 Per User Per Month and Took One Weekend
We kept our existing Windows print server exactly as it was — zero changes required. Then we stood up a cloud-managed VPN gateway that supports Always-On and split-tunnel capability. After testing half a dozen options, we landed on a combination that works flawlessly for 350 users across seven states:
- We deployed the built-in Azure VPN Gateway in point-to-site mode with Always-On enabled through Intune.
- For companies without an Azure footprint, the same result is achievable with Meraki MX, Cisco AnyConnect Secure Mobility Client, or a business-grade third-party gateway like Perimeter 81 or Tailscale for Teams.
We forced a basic Intune configuration profile that requires the Automatic connection of the VPN even before the user is presented with the Windows login screen. Within that profile we configured split tunneling such that only corporate traffic (our 10.0.0.0/8 and 192.168.0.0/16 blocks) traverses the tunnel. Netflix, You Tube and all remain on the home internet of the user at full throttle. Also read Why Traditional Firewalls Aren’t Enough for Modern Businesses
The last step was to re-enable the old Group Policy which automatically maps network printers using AD site or IP range. The initial occasion when a remote laptop was connected via the VPN gateway all the printers re-appeared as though nothing had happened.
Real-World Results After 14 Months
Printing of supports tickets had been cut in size by a quarter to half a weekly to zero. Our Ohio warehouse is also printing 4000 shipping labels daily without delays. The Texas accounting group mails and prints checks the same day despite the closure of the DFW airport by ice. The extra cost per month of the VPN gateway and licensing: approximately 3500 to 32000 dollars depending on the number of people that we needed to serve – a pittance compared to what Universal Print or Printix had cost us, and all works. For more information visit WebaviorVPN.
You Don’t Need Another Printing Subscription in 2025
If your organization is fighting the post-Microsoft 365 printing war, stop throwing money at cloud-print services. Deploy a proper VPN gateway with Always-On and split tunneling, keep your existing print server, and watch the problem disappear overnight. Your users will thank you, your budget will thank you, and your helpdesk can finally go back to doing something more useful.