Windows created the Blocking Untrusted Fonts feature to help companies protect themselves from attackers. Untrusted and attacker-controlled font files can be harmful to the system. This feature will turn on a global setting that stops the employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. In this article, we will show you how you can block untrusted fonts on Windows 10.
Blocking Untrusted Fonts
Blocking untrusted fonts is sometimes a good idea for a company to keep their system safe. However, this can also cause some usability issues for some users. It is a global setting that prevents all programs from loading untrusted fonts. Internet Explorer will face the issues regarding this setting, but other browsers will be fine. The untrusted fonts are those that are installed outside of the default fonts folder (%windir%\Fonts).
There are three modes in this feature and that is On, Off, and Audit. By default, this setting will be “Off” and no fonts are blocked. Setting it on “On” will completely block the untrusted fonts. Also, if you are not sure to deploy this feature into your company completely, then you can run it in the “Audit” mode to see if turning this on causes any usability or compatibility issues. You can also install fonts manually in the default font folder while this setting is enabled.
Method 1: Blocking Untrusted Fonts through the Local Group Policy Editor
The best and default method would be by using the Local Group Policy Editor. The setting is already available in there, a user just needs to change it by editing. All three modes of the setting are available in the form of a list.
Windows 10 Home edition users will not have the Local Group Policy Editor, so they need to skip to method 2.
If you have Local Group Policy Editor on your system, then follow the below steps:
- Press the Windows + R keys together to open the Run dialog. In the Run box, type “gpedit.msc” and press the Enter key to open the Local Group Policy Editor.
Note: Choose Yes option for UAC (User Account Control) prompt.
- In the left pane of the Local Group Policy Editor, navigate to the following path:
Computer Configuration\Administrative Templates\System\Mitigation Options
- Double-click on the “Untrusted Font Blocking” setting. A new window will open, change the toggle option to Enabled in here. Click on the Apply/Ok button to apply changes.
- Now your system will block the untrusted font loading in programs.
Method 2: Blocking Untrusted Fonts through the Registry Editor
Another way to modify this specific setting is by using the Registry Editor. In Registry Editor, most of the settings are not available by default. Due to which the user needs to create a key/value manually for that specific setting. For blocking untrusted fonts setting, there are three different value data that you can use. You can add one of the following value data to apply the setting:
- Block untrusted fonts and log events: 1000000000000
- Do not block untrusted fonts: 2000000000000
- Log events without blocking untrusted fonts: 3000000000000
Follow the below steps to modify the setting in the Registry Editor:
- Press the Windows and R keys to open a Run dialog on your system. Now type “regedit” and press Enter to open the Registry Editor. Choose Yes option for UAC (User Account Control) prompt.
- Navigate to the following path in the left pane of the Registry Editor:
- If the MitigationOptions key is missing, then create it by right-clicking on the Windows NT and choosing New > Key. Name the key as “MitigationOption“.
- Now in the MitigationOptions key, create a new string value by right-clicking on the right pane and choosing New > String Value. Name it as “MitigationOptions_FontBocking“.
- Double-click on the newly created value and change the Value data as “1000000000000” (with 12 zeros) for enabling the setting.
Note: You can also set other value data depending on what you want.
- The blocking for untrusted fonts will be enabled on your system.
Additional: How to View the Event Log
If you choose the Audit mode as your setting for blocking untrusted fonts feature. Then you may need to follow the below steps to know how you can check the event logs for details:
- Open a Run dialog by pressing the Windows + R keys together. Type “eventvwr.exe” and press Enter to open the Event Viewer.
- Navigate to the following location in the left pane of Event Viewer:
Application and Service Logs/Microsoft/Windows/Win32k/Operational
- Click on any of the events in the list to view the details for it as shown below.