This tutorial will show you how to enable or disable Untrusted Font Blocking for all users in Windows 10 and Windows 11.
A font is a graphical representation of text that may include a different typeface, point size, weight, color, or design.
To help protect from attacks that may originate from untrusted or attacker-controlled font files, Microsoft created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops users from loading untrusted fonts processed using the Graphics Device Interface (GDI). Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
There are three ways to use the Blocking Untrusted Fonts feature:
Mode | Description |
---|---|
On | Helps stop any font processed using GDI from loading outside of the %windir%/Fonts directory. It also turns on event logging. |
Audit | Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log. |
Exclude apps to load untrusted fonts | You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. |
Reference:
Block untrusted fonts in an enterprise
To help protect your company from attacks that may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature.
learn.microsoft.com
You must be signed in as an administrator to enable or disable Untrusted Font Blocking.
Contents
- Option One: Enable or Disable Untrusted Font Blocking in Local Group Policy Editor
- Option Two: Enable or Disable Untrusted Font Blocking using REG file
The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.
All editions can use Option Two to configure the same policy.
1 Open the Local Group Policy Editor (gpedit.msc).
2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)
Computer Configuration > Administrative Templates > System > Mitigation Options
3 In the right pane of Mitigation Options in the Local Group Policy Editor, double click/tap on the Untrusted Font Blocking policy to edit it. (see screenshot above)
4 Do step 5 (enable), step 6 (audit), or step 7 (disable) below for what you want.
5 Enable Untrusted Font Blocking
A) Select (dot) Enabled. (see screenshot below)
B) Select Block untrusted fonts and log events in the "Mitigation Options" drop menu.
C) Click/tap on OK, and go to step 8.
6 Audit Only Untrusted Font Blocking
A) Select (dot) Enabled. (see screenshot below)
B) Select Log events without blocking untrusted fonts in the "Mitigation Options" drop menu.
C) Click/tap on OK, and go to step 8.
7 Disable Untrusted Font Blocking
This is the default setting.
A) Select (dot) Not Configured. (see screenshot below)
B) Click/tap on OK, and go to step 8.
8 You can now close the Local Group Policy Editor if you like.
1 Do step 2 (enable), or step 3 (audit), step 4 (disable) below for what you would like to do.
2 Enable Untrusted Font Blocking
A) Click/tap on the Download button below to download the file below, and go to step 5 below.
Block_untrusted_fonts_and_log_events.reg
Download
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions]
"MitigationOptions_FontBocking"="1000000000000"
3 Audit Only Untrusted Font Blocking
A) Click/tap on the Download button below to download the file below, and go to step 5 below.
Log_events_without_blocking_untrusted_fonts.reg
Download
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions]
"MitigationOptions_FontBocking"="3000000000000"
4 Disable Untrusted Font Blocking
This is the default setting
A) Click/tap on the Download button below to download the file below, and go to step 5 below.
Default_Do_not_block_untrusted_fonts.reg
Download
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions]
"MitigationOptions_FontBocking"=-
5 Save the REG file to your desktop.
6 Double click/tap on the downloaded REG file to merge it.
7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
8 You can now delete the downloaded REG file if you like.
That's it,
Shawn Brink
Attachments
Last edited: