Privacy and Security Enable or Disable Untrusted Font Blocking in Windows 11


Fonts_folder_banner.png

This tutorial will show you how to enable or disable Untrusted Font Blocking for all users in Windows 10 and Windows 11.

A font is a graphical representation of text that may include a different typeface, point size, weight, color, or design.

To help protect from attacks that may originate from untrusted or attacker-controlled font files, Microsoft created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops users from loading untrusted fonts processed using the Graphics Device Interface (GDI). Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.

There are three ways to use the Blocking Untrusted Fonts feature:

Mode​
Description​
OnHelps stop any font processed using GDI from loading outside of the %windir%/Fonts directory. It also turns on event logging.
AuditTurns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.
Exclude apps to load untrusted fontsYou can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on.

Reference:


You must be signed in as an administrator to enable or disable Untrusted Font Blocking.



Contents

  • Option One: Enable or Disable Untrusted Font Blocking in Local Group Policy Editor
  • Option Two: Enable or Disable Untrusted Font Blocking using REG file




Option One

Enable or Disable Untrusted Font Blocking in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.

All editions can use Option Two to configure the same policy.


1 Open the Local Group Policy Editor (gpedit.msc).

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > System > Mitigation Options

Untrusted_Font_Blocking_gpedit-1.png

3 In the right pane of Mitigation Options in the Local Group Policy Editor, double click/tap on the Untrusted Font Blocking policy to edit it. (see screenshot above)

4 Do step 5 (enable), step 6 (audit), or step 7 (disable) below for what you want.

5 Enable Untrusted Font Blocking

A) Select (dot) Enabled. (see screenshot below)​

B) Select Block untrusted fonts and log events in the "Mitigation Options" drop menu.​

C) Click/tap on OK, and go to step 8.​

Untrusted_Font_Blocking_gpedit-3.png

6 Audit Only Untrusted Font Blocking

A) Select (dot) Enabled. (see screenshot below)​

B) Select Log events without blocking untrusted fonts in the "Mitigation Options" drop menu.​

C) Click/tap on OK, and go to step 8.​

Untrusted_Font_Blocking_gpedit-4.png

7 Disable Untrusted Font Blocking

This is the default setting.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 8.​

Untrusted_Font_Blocking_gpedit-2.png

8 You can now close the Local Group Policy Editor if you like.




Option Two

Enable or Disable Untrusted Font Blocking using REG file


1 Do step 2 (enable), or step 3 (audit), step 4 (disable) below for what you would like to do.

2 Enable Untrusted Font Blocking

A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Block_untrusted_fonts_and_log_events.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions]
"MitigationOptions_FontBocking"="1000000000000"

3 Audit Only Untrusted Font Blocking

A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Log_events_without_blocking_untrusted_fonts.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions]
"MitigationOptions_FontBocking"="3000000000000"

4 Disable Untrusted Font Blocking

This is the default setting


A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Default_Do_not_block_untrusted_fonts.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions]
"MitigationOptions_FontBocking"=-

5 Save the REG file to your desktop.

6 Double click/tap on the downloaded REG file to merge it.

7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8 You can now delete the downloaded REG file if you like.


That's it,
Shawn Brink


 

Attachments

Last edited:
Not for System administrators:
You can block web fonts with a browser extension
 

My Computer

System One

  • OS
    Microsoft Windows 11 Home
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI MS-7D98
    CPU
    Intel Core i5-13490F
    Motherboard
    MSI B760 GAMING PLUS WIFI
    Memory
    2 x 16 Patriot Memory (PDP Systems) PSD516G560081
    Graphics Card(s)
    GIGABYTE GeForce RTX 4070 WINDFORCE OC 12G (GV-N4070WF3OC-12GD)
    Sound Card
    Bluetooth Аудио
    Monitor(s) Displays
    INNOCN 15K1F
    Screen Resolution
    1920 x 1080
    Hard Drives
    WD_BLACK SN770 250GB
    KINGSTON SNV2S1000G (ELFK0S.6)
    PSU
    Thermaltake Toughpower GF3 1000W
    Case
    CG560 - DeepCool
    Cooling
    ID-COOLING SE-224-XTS / 2 x 140Mm Fan - rear and top; 3 x 120Mm - front
    Keyboard
    Corsair K70 RGB TKL
    Mouse
    Corsair KATAR PRO XT
    Internet Speed
    100 Mbps
    Browser
    Firefox
    Antivirus
    Microsoft Defender Antivirus
    Other Info
    https://www.userbenchmark.com/UserRun/66553205

Latest Support Threads

Back
Top Bottom