Privacy and Security Enable or Disable Untrusted Font Blocking in Windows 11


  • Staff
Fonts_folder_banner.png

This tutorial will show you how to enable or disable Untrusted Font Blocking for all users in Windows 10 and Windows 11.

A font is a graphical representation of text that may include a different typeface, point size, weight, color, or design.

To help protect from attacks that may originate from untrusted or attacker-controlled font files, Microsoft created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops users from loading untrusted fonts processed using the Graphics Device Interface (GDI). Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.

There are three ways to use the Blocking Untrusted Fonts feature:

Mode​
Description​
OnHelps stop any font processed using GDI from loading outside of the %windir%/Fonts directory. It also turns on event logging.
AuditTurns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.
Exclude apps to load untrusted fontsYou can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on.

Reference:
learn.microsoft.com

Block untrusted fonts in an enterprise - Windows Security

To help protect your company from attacks that may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature.
learn.microsoft.com


You must be signed in as an administrator to enable or disable Untrusted Font Blocking.



Contents

  • Option One: Enable or Disable Untrusted Font Blocking in Local Group Policy Editor
  • Option Two: Enable or Disable Untrusted Font Blocking using REG file




Option One

Enable or Disable Untrusted Font Blocking in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.

All editions can use Option Two to configure the same policy.


1 Open the Local Group Policy Editor (gpedit.msc).

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > System > Mitigation Options

Untrusted_Font_Blocking_gpedit-1.png

3 In the right pane of Mitigation Options in the Local Group Policy Editor, double click/tap on the Untrusted Font Blocking policy to edit it. (see screenshot above)

4 Do step 5 (enable), step 6 (audit), or step 7 (disable) below for what you want.

5 Enable Untrusted Font Blocking

A) Select (dot) Enabled. (see screenshot below)​

B) Select Block untrusted fonts and log events in the "Mitigation Options" drop menu.​

C) Click/tap on OK, and go to step 8.​

Untrusted_Font_Blocking_gpedit-3.png

6 Audit Only Untrusted Font Blocking

A) Select (dot) Enabled. (see screenshot below)​

B) Select Log events without blocking untrusted fonts in the "Mitigation Options" drop menu.​

C) Click/tap on OK, and go to step 8.​

Untrusted_Font_Blocking_gpedit-4.png

7 Disable Untrusted Font Blocking

This is the default setting.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 8.​

Untrusted_Font_Blocking_gpedit-2.png

8 You can now close the Local Group Policy Editor if you like.




Option Two

Enable or Disable Untrusted Font Blocking using REG file


1 Do step 2 (enable), or step 3 (audit), step 4 (disable) below for what you would like to do.

2 Enable Untrusted Font Blocking

A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Block_untrusted_fonts_and_log_events.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions]
"MitigationOptions_FontBocking"="1000000000000"

3 Audit Only Untrusted Font Blocking

A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Log_events_without_blocking_untrusted_fonts.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions]
"MitigationOptions_FontBocking"="3000000000000"

4 Disable Untrusted Font Blocking

This is the default setting


A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Default_Do_not_block_untrusted_fonts.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions]
"MitigationOptions_FontBocking"=-

5 Save the REG file to your desktop.

6 Double click/tap on the downloaded REG file to merge it.

7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8 You can now delete the downloaded REG file if you like.


That's it,
Shawn Brink


Related Tutorials

 

Attachments

  • Fonts_folder.png
    Fonts_folder.png
    6.6 KB · Views: 32
  • Block_untrusted_fonts_and_log_events.reg
    674 bytes · Views: 73
  • Default_Do_not_block_untrusted_fonts.reg
    646 bytes · Views: 82
  • Log_events_without_blocking_untrusted_fonts.reg
    674 bytes · Views: 74
Last edited:
Click to expand...
Not for System administrators:
You can block web fonts with a browser extension
github.com

Per site switches

uBlock Origin - An efficient blocker for Chromium and Firefox. Fast and lean. - gorhill/uBlock
github.com github.com
 

My Computer

System One

  • OS
    Microsoft Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    ASUS TUF Dash F15 FX516PM_FX516PM
    CPU
    Intel Core i7-11370H
    Motherboard
    ASUS FX516PM
    Memory
    Micron 4ATF1G64HZ-3G2E2/8G + Patriot PSD416G320081S
    Graphics Card(s)
    NVIDIA GeForce RTX 3060 Laptop
    Sound Card
    Edifier 800BT Plus
    Monitor(s) Displays
    LM156LF-2F03
    Screen Resolution
    1920 x 1080
    Hard Drives
    1. PCIe Gen 4 KINGSTON SNV2S1000G
    2. PCIe Gen 3 SK Hynix HFM512GD3JX013N
    PSU
    200W
    Mouse
    Corsair KATAR PRO XT
    Internet Speed
    70 Mbps
    Browser
    Firefox
    Antivirus
    Microsoft Defender Antivirus
You must log in or register to reply here.

Similar Windows 11 Tutorials

  • Article
System Designate Dev Drive as Trusted or Untrusted in Windows 11
Replies
0
Views
525
Brink
Brink
  • Article
Gaming Enable or Disable Game Recording for Captures in Windows 11
Replies
0
Views
797
Brink
Brink
  • Article
Privacy and Security Enable or Disable Clear TPM button in Windows Security in Windows 11
Replies
0
Views
2K
Brink
Brink
  • Article
General Enable or Disable Task Manager in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article
Personalization Download Fonts for All Languages in Windows 11
Replies
3
Views
7K
abactuon
abactuon
  • Article
Privacy and Security Enable or Disable Performance Mode for Dev Drive Protection in Windows 11
Replies
0
Views
884
Brink
Brink
  • Article
Accounts Enable or Disable Don't Display Last Signed-in User on Sign-in Screen in Windows 11
Replies
0
Views
1K
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom