How to Enable or Disable Untrusted Font Blocking in Windows 10
Windows 10 comes with TrueType fonts and OpenType fonts installed out-of-the-box. They either have TTF or OTF file extensions. They support scaling and look sharp on modern displays. The OS comes with an advanced security feature that prevents fonts from being loaded outside of the c:\Windows\Fonts folder, considering them untrusted. Here's how to enable, configure, or disable this Untrusted Font Blocking feature.
You may be familiar with the classic Fonts Control Panel applet, which you could use to see the fonts that are currently installed, or to install or uninstall fonts.
Starting with build 17083, Windows 10 features a special section in the Settings app. The new section, called simply "Fonts", can be found under Personalization.
Instead of the classic applet, recent releases of Windows 10 offer the Fonts page in Settings, which is able to show off newer font capabilities, such as color fonts or variable fonts. A refresh of the Fonts UI to show off the newer capabilities was long overdue.
In Settings, a dedicated page for Fonts settings provides a short preview of each font family. The previews use a variety of interesting strings that are selected to match the primary languages that each font family is designed for, together with your own language settings. And if a font has multi-color capabilities built into it, then the preview will demonstrate this.
Untrusted Font Blocking in Windows 10
The Untrusted Font Blocking security feature in Windows 10 is implemented as a global option that prevents apps from loading untrusted fonts. When enabled, any font that is located outside of the C:\Windows\Fonts folder, considered untrusted. This option can be set to one of the following values: On, Off, and Audit. You can configure it with a Group Policy (where available), or by applying a Registry tweak.
There are 3 ways to use this feature:
- On. Helps stop any font processed using GDI from loading outside of the
%windir%/Fonts
directory. It also turns on event logging. - Audit. Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.
- Exclude apps to load untrusted fonts. You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see Fix apps having problems because of blocked fonts.
To Enable Untrusted Font Blocking in Windows 10,
- Open the Registry Editor app.
- Go to the following Registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions
See how to go to a Registry key with one click.
- On the right, modify or create a new string (REG_SZ) value MitigationOptions_FontBocking.
- Set its value to
1000000000000
to enable it. - Set the value data to
3000000000000
to enable the Audit mode. - Deleting the MitigationOptions_FontBocking value or setting it to
2000000000000
will disable the feature. - To make the changes done by the Registry tweak take effect, you need to Restart Windows 10.
You are done. To save your time, you can download the following ready-to-use Registry files:
If you are running Windows 10 Pro, Enterprise, or Education edition, you can use the Local Group Policy Editor app to configure the options mentioned above with a GUI. Here is how.
Enable or Disable Untrusted Font Blocking with Group Policy
- Press Win + R keys together on your keyboard and type:
gpedit.msc
. Press Enter. - Group Policy Editor will open.
- Go to
Computer Configuration\Administrative Templates\System\Mitigation Options
. - Enable the policy option
Untrusted Font Blocking
. - Click one of the following Migitation Options:
- Block untrusted fonts and log events. Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log.
- Do not block untrusted fonts. Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log.
- Log events without blocking untrusted fonts. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts.
- Click OK and restart Windows 10.
Finally, you can configure the feature without involving the Group Policy. There is another Registry tweak you can apply.
Configure Untrusted Font Blocking without using Group Policy.
- Open Registry Editor (regedit.exe) and go to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\
- If the
MitigationOptions
value is not there, right-click and add a newQWORD (64-bit)
value namedMitigationOptions
. - Update the Value data of the MitigationOptions value, and make sure that you keep your existing value, like the important note below:
- To turn this feature on. Type 1000000000000.
- To turn this feature off. Type 2000000000000.
- To audit with this feature. Type 3000000000000.
Important Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000.
- Restart your computer.
That's it.
Related articles:
- Backup and Restore Font Settings in Windows 10
- Delete and Uninstall a Font in Windows 10
- How To Rebuild Font Cache in Windows 10
- Change ClearType Font Settings in Windows 10
- How to Install Fonts in Windows 10
- How To Install Fonts From Microsoft Store In Windows 10
- How to a Hide a Font in Windows 10
- Hide a Font Based on Language Settings in Windows 10
- Restore Default Font Settings in Windows 10
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
in Winaero Tweaker, would it be a nice Tweak !
best regards
Blacky