Windows Client OS

Windows 10 Tip: Block Untrusted Fonts

Windows 10 Hero Good

In today’s Ask the Admin, I’ll show you how to block processing of untrusted fonts using the Graphics Device Interface (GDI) in Windows 10.

Not the sexiest of topics, but Windows 10 contains a new security feature that allows system administrators to prevent users from loading fonts not located in the trusted %windir%/Fonts directory, helping to prevent remote web-based and local escalation of privilege attacks that can occur when parsing fonts.

The feature has three levels of operation: On, Audit, and Exclude apps to load untrusted fonts. When the feature is set to On, only fonts contained in the trusted %windir%/Fonts directory are loaded using GDI and event logging is turned on. Audit turns on event logging but doesn’t block fonts from loading. Exclude apps to load untrusted fonts allows you to set specific apps to load fonts using GDI outside of the %windir%/Fonts directory when the Untrusted Font Blocking feature is enabled.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

But before you rush to turn on font blocking, like many security defenses, it comes with some drawbacks. Microsoft notes that you might experience reduced functionality in the following circumstances:

  • Sending a print job to a remote printer server if spooler.exe hasn’t been excluded. Fonts not available in the server’s trusted fonts directory won’t be used.
  • Print jobs that use fonts, installed by the printer driver’s graphics .dll file, that reside outside of the trusted fonts directory.
  • Apps that use memory-based fonts.
  • Viewing websites in Internet Explorer that use embedded fonts. IE will use a default font.
  • Using Office desktop apps to view documents that include embedded fonts. Office will use a default font.

Block untrusted fonts using Group Policy

The Untrusted Font Blocking feature can be enabled using Group Policy. For more information on using Group Policy, see “How to Create and Link a Group Policy Object in Active Directory” on the Petri IT Knowledgebase.

The Untrusted Font Blocking feature in Windows 10 (Image Credit: Russell Smith)
The Untrusted Font Blocking feature in Windows 10 (Image Credit: Russell Smith)

The Untrusted Font Blocking setting can be found in local or Group Policy under Computer Configuration > Administrative Templates > System > Mitigation Options. You’ll note there are three options: Block untrusted fonts and log events, Do not block untrusted fonts, Log events without blocking untrusted fonts.

Excluding processes

Missing from the Group Policy settings above is the ability to exclude processes. Microsoft recommends that in the first instance you try to add any required fonts to the trusted fonts directory. If that’s not possible, then exclude the problem processes or apps by adding the process image name to the registry. For example, if you want to exclude Microsoft Word, add the following value to the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe

In this article, I explained the Untrusted Font Blocking feature in Windows 10, showed you how to enable it, and how to exclude specific processes from the policy using the registry.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: