Enable or Disable Untrusted Font Blocking in Windows 10

How to Enable or Disable Untrusted Font Blocking in Windows 10

Windows 10 comes with TrueType fonts and OpenType fonts installed out-of-the-box. They either have TTF or OTF file extensions. They support scaling and look sharp on modern displays. The OS comes with an advanced security feature that prevents fonts from being loaded outside of the c:\Windows\Fonts folder,  considering them untrusted. Here's how to enable, configure, or disable this Untrusted Font Blocking feature.

You may be familiar with the classic Fonts Control Panel applet, which you could use to see the fonts that are currently installed, or to install or uninstall fonts.

Starting with build 17083, Windows 10 features a special section in the Settings app. The new section, called simply "Fonts", can be found under Personalization.

Instead of the classic applet, recent releases of Windows 10 offer the Fonts page in Settings, which is able to show off newer font capabilities, such as color fonts or variable fonts. A refresh of the Fonts UI to show off the newer capabilities was long overdue.

In Settings, a dedicated page for Fonts settings provides a short preview of each font family. The previews use a variety of interesting strings that are selected to match the primary languages that each font family is designed for, together with your own language settings. And if a font has multi-color capabilities built into it, then the preview will demonstrate this.

Untrusted Font Blocking in Windows 10

The Untrusted Font Blocking security feature in Windows 10 is implemented as a global option that prevents apps from loading untrusted fonts. When enabled, any font that is located outside of the C:\Windows\Fonts folder, considered untrusted. This option can be set to one of the following values: On, Off, and Audit. You can configure it with a Group Policy (where available), or by applying a Registry tweak.

There are 3 ways to use this feature:

  • On. Helps stop any font processed using GDI from loading outside of the %windir%/Fonts directory. It also turns on event logging.
  • Audit. Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.
  • Exclude apps to load untrusted fonts. You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see Fix apps having problems because of blocked fonts.

To Enable Untrusted Font Blocking in Windows 10,

  1. Open the Registry Editor app.
  2. Go to the following Registry key.
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions
    See how to go to a Registry key with one click.
  3. On the right, modify or create a new string (REG_SZ) value MitigationOptions_FontBocking.
  4. Set its value to 1000000000000  to enable it.
  5. Set the value data to 3000000000000 to enable the Audit mode.Untrusted Font Blocking Tweak 1
  6. Deleting the MitigationOptions_FontBocking value or setting it to 2000000000000 will disable the feature.
  7. To make the changes done by the Registry tweak take effect, you need to Restart Windows 10.

You are done. To save your time, you can download the following ready-to-use Registry files:

Download Registry Files

If you are running Windows 10 Pro, Enterprise, or Education edition, you can use the Local Group Policy Editor app to configure the options mentioned above with a GUI. Here is how.

Enable or Disable Untrusted Font Blocking with Group Policy

  1. Press Win + R keys together on your keyboard and type: gpedit.msc. Press Enter.Windows 10 run gpedit
  2. Group Policy Editor will open.
  3. Go to Computer Configuration\Administrative Templates\System\Mitigation Options.Untrusted Font Blocking Policy 1
  4. Enable the policy option Untrusted Font Blocking.Untrusted Font Blocking Policy 2
  5. Click one of the following Migitation Options:Untrusted Font Blocking Policy 3
    • Block untrusted fonts and log events. Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log.
    • Do not block untrusted fonts. Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log.
    • Log events without blocking untrusted fonts. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts.
  6. Click OK and restart Windows 10.

Finally, you can configure the feature without involving the Group Policy. There is another Registry tweak you can apply.

Configure Untrusted Font Blocking without using Group Policy.

  1. Open Registry Editor (regedit.exe) and go to the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\
  2. If the MitigationOptions value is not there, right-click and add a new QWORD (64-bit) value named MitigationOptions.
  3. Update the Value data of the MitigationOptions value, and make sure that you keep your existing value, like the important note below:
    • To turn this feature on. Type 1000000000000.
    • To turn this feature off. Type 2000000000000.
    • To audit with this feature. Type 3000000000000.

    Important Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000.

  4. Restart your computer.

That's it.

Related articles:

1 thought on “Enable or Disable Untrusted Font Blocking in Windows 10

  1. Blackcrack

    in Winaero Tweaker, would it be a nice Tweak !

    best regards
    Blacky

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *