This post explains how to block or unblock untrusted fonts in Windows 11.
Fonts that you install with Windows are stored in the C:\Windows\Fonts folder. You can also add fonts by dragging font files from the extracted files folder into this folder.
Untrusted fonts are any font installed outside of the %windir%/Fonts directory.
To help protect your computer from attacks that may originate from untrusted or attacker-controlled font files, Microsoft created the Blocking Untrusted Fonts feature.
Below is how to enable or disable using untrusted fonts in Windows 11.
Enable or disable the use of untrusted fonts
As described above, blocking untrusted fonts will protect your computer against attackers using font files to take over your computer.
There are three ways to control untrusted fonts in Windows:
| Mode | Description |
| On | Helps stop any font processed using GDI from loading outside of the %windir%/Fonts directory. It also turns on event logging. |
| Audit | Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log. |
| Exclude apps to load untrusted fonts | You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on |
Use the Local Group Policy Editor
To use the Local Group Policy Editor to enable or disable untrusted fonts, open the Local Group Policy Editor.
Then go to Computer Configuration -> Administrative Templates -> System -> Mitigation Options.
Computer Configuration -> Administrative Templates -> System -> Mitigation Options
Then, in the Mitigation Options details pane on the right, locate and double-click the “Untrusted Font Blocking ” setting. “
On the Untrusted Font Blocking window, select Not Configure, Enabled, or Disabled.
- Not Configured (default) – no fonts are blocked.
- Enabled
- Block untrusted fonts and log events.
- Do not block untrusted fonts.
- Log event without blocking untrusted fonts.
- Disabled – Same as Not Configured – no fonts are blocked.
Make your selection and save your changes, then exit.
Use the Windows Registry Editor
Another way to control the use of untrusted fonts in Windows is to use the Windows Registry Editor.
If you can’t open the Local Group Policy Editor, use the Windows Registry editor instead.
Open the Windows Registry, and navigate to the folder key path below.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions
If you don’t see the MitigationOptions folder key, right-click on the Windows NT key, then create the subkey (MitigationOptions) folders.
Right-click the MitigationOptions folder key’s right pane and select New -> DWORD (32-bit) Value. Type a new key named MitigationOptions_FontBocking.
Double click the new key item name (MitigationOptions_FontBocking) and make sure the Base option is Hexadecimal, and then update the Value data, making sure you keep your existing value:
- To turn this feature on. Type 1000000000000.
- To turn this feature off. Type 2000000000000.
- To audit with this feature. Type 3000000000000.
Save your changes and restart your computer.
That should do it!
Reference:
Conclusion:
- Enabling or disabling untrusted fonts in Windows 11 is an essential security measure to protect your computer from potential font-based attacks.
- By leveraging the Local Group Policy Editor or the Windows Registry Editor, you can effectively control the use of untrusted fonts and log relevant events.
- Following the provided step-by-step guide ensures a proactive approach to strengthening your computer’s security measures.
- Please utilize the comment section below the post for additional insights or contributions.
- Referencing Microsoft’s documentation on blocking untrusted fonts in the enterprise provides comprehensive information on this security feature.
Leave a Reply Cancel reply