How to Enable or Disable Untrusted Font Blocking in Windows 10
A font is a graphical representation of text that may include a different typeface, point size, weight, color, or design.
The Untrusted Font Blocking security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the C:\Windows\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit.
If you aren’t quite ready to enable Untrusted Font Blocking, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
You can exclude specific apps, allowing them to load untrusted fonts, even while Untrusted Font Blocking is turned on.
Untrusted Font Blocking Mode |
Description |
On (enable) |
Block untrusted fonts and log events. Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. |
Off (default - disable) |
Turns the feature off. |
Audit |
Log events without blocking untrusted fonts. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts. |
See also: Block untrusted fonts in an enterprise | Microsoft Docs
This tutorial will show you how to enable or disable Untrusted Font Blocking for all users in Windows 10.
You must be signed in as an administrator to enable or disable Untrusted Font Blocking.
CONTENTS:
- Option One: Enable or Disable Untrusted Font Blocking in Local Group Policy Editor
- Option Two: Enable or Disable Untrusted Font Blocking using a REG file
OPTION ONE
Enable or Disable Untrusted Font Blocking in Local Group Policy Editor
The Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.
All editions can use Option Two below.
1. Open the
Local Group Policy Editor.
2. In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)
Computer Configuration\Administrative Templates\System\Mitigation Options
3. In the right pane of
Mitigation Options in Local Group Policy Editor, double click/tap on the
Untrusted Font Blocking policy to edit it. (see screenshot above)
4. Do
step 5 (enable),
step 6 (disable), or
step 7 (audit) below for what you would like to do.
5. To Enable Untrusted Font Blocking
A) Select (dot)
Enabled, select
Block untrusted fonts and log events in the "Mitigation Options" drop menu, click/tap on
OK, and go to
step 8 below. (see screenshot below)
6. To Disable Untrusted Font Blocking
A) Select (dot)
Not Configured or
Disabled, click/tap on
OK, and go to
step 8 below. (see screenshot below)
Not Configured is the default setting.
7. To Use Audit Mode for Untrusted Font Blocking
A) Select (dot)
Enabled, select
Log events without blocking untrusted fonts in the "Mitigation Options" drop menu, click/tap on
OK, and go to
step 8 below. (see screenshot below)
8. When finished, you can close the Local Group Policy Editor.
OPTION TWO
Enable or Disable Untrusted Font Blocking using a REG file
The downloadable .reg files below will add and modify the string value in the registry key below.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions
MitigationOptions_FontBocking string value (REG_SZ)
delete = Disable (off)
1000000000000 = Enable (on)
3000000000000 - Audit
1. Do
step 2 (enable),
step 3 (disable), or
step 4 (audit) below for what you would like to do.
2. To Enable Untrusted Font Blocking
A) Click/tap on the Download button below to download the file below, and go to
step 5 below.
Untrust_Font_Blocking-Block_untrusted_fonts_and_log_events.reg
Download
3. To Disable Untrusted Font Blocking
This is the default setting.
A) Click/tap on the Download button below to download the file below, and go to
step 5 below.
Untrust_Font_Blocking-Do_not_block_untrusted_fonts.reg
Download
4. To Use Audit Mode for Untrusted Font Blocking
A) Click/tap on the Download button below to download the file below, and go to
step 5 below.
Untrust_Font_Blocking_Log_events_without_blocking_untrusted_fonts.reg
Download
5. Save the .reg file to your desktop.
6. Double click/tap on the downloaded .reg file to merge it.
7. When prompted, click/tap on
Run,
OK (
UAC),
Yes, and
OK to approve the merge.
8. Restart the computer to apply.
9. You can now delete the downloaded .reg file if you like.
That's it,
Shawn