How to Block Untrusted Fonts on Windows?

Kevin ArrowsUpdated on March 9, 2023
Kevin is a certified Network Engineer

Windows created the Blocking Untrusted Fonts feature to help companies protect themselves from attackers. Untrusted and attacker-controlled font files can be harmful to the system. This feature will turn on a global setting that stops the employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. In this article, we will show you how you can block untrusted fonts on Windows 10.

Blocking Untrusted Fonts

Blocking Untrusted Fonts

Blocking untrusted fonts is sometimes a good idea for a company to keep their system safe. However, this can also cause some usability issues for some users. It is a global setting that prevents all programs from loading untrusted fonts. Internet Explorer will face the issues regarding this setting, but other browsers will be fine. The untrusted fonts are those that are installed outside of the default fonts folder (%windir%\Fonts).

There are three modes in this feature and that is On, Off, and Audit. By default, this setting will be “Off” and no fonts are blocked. Setting it on “On” will completely block the untrusted fonts. Also, if you are not sure to deploy this feature into your company completely, then you can run it in the “Audit” mode to see if turning this on causes any usability or compatibility issues. You can also install fonts manually in the default font folder while this setting is enabled.

Method 1: Blocking Untrusted Fonts through the Local Group Policy Editor

The best and default method would be by using the Local Group Policy Editor. The setting is already available in there, a user just needs to change it by editing. All three modes of the setting are available in the form of a list.

Windows 10 Home edition users will not have the Local Group Policy Editor, so they need to skip to method 2.

If you have Local Group Policy Editor on your system, then follow the below steps:

  1. Press the Windows + R keys together to open the Run dialog. In the Run box, type “gpedit.msc” and press the Enter key to open the Local Group Policy Editor.
    Note: Choose Yes option for UAC (User Account Control) prompt.

    Opening Local Group Policy Editor
  2. In the left pane of the Local Group Policy Editor, navigate to the following path:
    Computer Configuration\Administrative Templates\System\Mitigation Options
    Navigating to setting in Group Policy Editor
  3. Double-click on the “Untrusted Font Blocking” setting. A new window will open, change the toggle option to Enabled in here. Click on the Apply/Ok button to apply changes.
    Changing the setting
  4. Now your system will block the untrusted font loading in programs.

Method 2: Blocking Untrusted Fonts through the Registry Editor

Another way to modify this specific setting is by using the Registry Editor. In Registry Editor, most of the settings are not available by default. Due to which the user needs to create a key/value manually for that specific setting. For blocking untrusted fonts setting, there are three different value data that you can use. You can add one of the following value data to apply the setting:

  • Block untrusted fonts and log events: 1000000000000
  • Do not block untrusted fonts: 2000000000000
  • Log events without blocking untrusted fonts: 3000000000000

Follow the below steps to modify the setting in the Registry Editor:

  1. Press the Windows and R keys to open a Run dialog on your system. Now type “regedit” and press Enter to open the Registry Editor. Choose Yes option for UAC (User Account Control) prompt.
    Opening the Registry Editor
  2. Navigate to the following path in the left pane of the Registry Editor:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions
  3. If the MitigationOptions key is missing, then create it by right-clicking on the Windows NT and choosing New > Key. Name the key as “MitigationOption“.
    Creating a new key
  4. Now in the MitigationOptions key, create a new string value by right-clicking on the right pane and choosing New > String Value. Name it as “MitigationOptions_FontBocking“.
    Creating a new value
  5. Double-click on the newly created value and change the Value data as “1000000000000” (with 12 zeros) for enabling the setting.
    Note: You can also set other value data depending on what you want.

    Changing the value data
  6. The blocking for untrusted fonts will be enabled on your system.

Additional: How to View the Event Log

If you choose the Audit mode as your setting for blocking untrusted fonts feature. Then you may need to follow the below steps to know how you can check the event logs for details:

  1. Open a Run dialog by pressing the Windows + R keys together. Type “eventvwr.exe” and press Enter to open the Event Viewer.
    Opening the Event Viewer
  2. Navigate to the following location in the left pane of Event Viewer:
    Application and Service Logs/Microsoft/Windows/Win32k/Operational
    Navigating to Operational event log
  3. Click on any of the events in the list to view the details for it as shown below.
    Checking the event log
Tags
Kevin ArrowsUpdated on March 9, 2023
Kevin is a certified Network Engineer
ABOUT THE AUTHOR
Photo of Kevin Arrows

Kevin Arrows


Kevin Arrows is a highly experienced and knowledgeable technology specialist with over a decade of industry experience. He holds a Microsoft Certified Technology Specialist (MCTS) certification and has a deep passion for staying up-to-date on the latest tech developments. Kevin has written extensively on a wide range of tech-related topics, showcasing his expertise and knowledge in areas such as software development, cybersecurity, and cloud computing. His contributions to the tech field have been widely recognized and respected by his peers, and he is highly regarded for his ability to explain complex technical concepts in a clear and concise manner.