To turn this feature on, off, or to use audit mode: To turn on and use the Blocking Untrusted Fonts feature through the registry Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts.
Log events without blocking untrusted fonts. Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log. Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log.ĭo not block untrusted fonts. Open the Group Policy editor (gpedit.msc) and go to Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking.Ĭlick Enabled to turn the feature on, and then click one of the following Mitigation Options:īlock untrusted fonts and log events. To turn on and use the Blocking Untrusted Fonts feature through Group Policy Use Group Policy or the registry to turn this feature on, off, or to use audit mode. Turn on and use the Blocking Untrusted Fonts feature In this situation, content shows up using a default font picked by Office. Using desktop Office to look at documents with embedded fonts. However, not all fonts have all of the characters, so the website might render differently. In this situation, the feature blocks the embedded font, causing the website to use a default font. Using Internet Explorer to look at websites that use embedded fonts. Using first or third-party apps that use memory-based fonts. For more information, see Introduction to Printer Graphics DLLs.
dll file, outside of the %windir%/Fonts folder. Printing using fonts provided by the installed printer’s graphics. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used. Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded.
For instructions, see Fix apps having problems because of blocked fonts.Īfter you turn this feature on, your employees might experience reduced functionality when: You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.Įxclude apps to load untrusted fonts. The name of the apps that use untrusted fonts appear in your event log.
Turns on event logging, but doesn’t block fonts from loading, regardless of location. Helps stop any font processed using GDI from loading outside of the %windir%/Fonts directory. By default, this feature is not turned on. What does this mean for me?īlocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. To help protect your company from attacks which may originate from untrusted or attacker-controlled font files, we’ve created the Blocking Untrusted Fonts feature.
Learn more about what features and functionality are supported in each Windows edition at Compare Windows 10 Editions.