Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Windows Client OS

Windows 10 Tip: Block Untrusted Fonts

Windows 10 Hero Good

In today’s Ask the Admin, I’ll show you how to block processing of untrusted fonts using the Graphics Device Interface (GDI) in Windows 10.

Not the sexiest of topics, but Windows 10 contains a new security feature that allows system administrators to prevent users from loading fonts not located in the trusted %windir%/Fonts directory, helping to prevent remote web-based and local escalation of privilege attacks that can occur when parsing fonts.

The feature has three levels of operation: On, Audit, and Exclude apps to load untrusted fonts. When the feature is set to On, only fonts contained in the trusted %windir%/Fonts directory are loaded using GDI and event logging is turned on. Audit turns on event logging but doesn’t block fonts from loading. Exclude apps to load untrusted fonts allows you to set specific apps to load fonts using GDI outside of the %windir%/Fonts directory when the Untrusted Font Blocking feature is enabled.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

But before you rush to turn on font blocking, like many security defenses, it comes with some drawbacks. Microsoft notes that you might experience reduced functionality in the following circumstances:

  • Sending a print job to a remote printer server if spooler.exe hasn’t been excluded. Fonts not available in the server’s trusted fonts directory won’t be used.
  • Print jobs that use fonts, installed by the printer driver’s graphics .dll file, that reside outside of the trusted fonts directory.
  • Apps that use memory-based fonts.
  • Viewing websites in Internet Explorer that use embedded fonts. IE will use a default font.
  • Using Office desktop apps to view documents that include embedded fonts. Office will use a default font.

Block untrusted fonts using Group Policy

The Untrusted Font Blocking feature can be enabled using Group Policy. For more information on using Group Policy, see “How to Create and Link a Group Policy Object in Active Directory” on the Petri IT Knowledgebase.

The Untrusted Font Blocking feature in Windows 10 (Image Credit: Russell Smith)
The Untrusted Font Blocking feature in Windows 10 (Image Credit: Russell Smith)

The Untrusted Font Blocking setting can be found in local or Group Policy under Computer Configuration > Administrative Templates > System > Mitigation Options. You’ll note there are three options: Block untrusted fonts and log events, Do not block untrusted fonts, Log events without blocking untrusted fonts.

Excluding processes

Missing from the Group Policy settings above is the ability to exclude processes. Microsoft recommends that in the first instance you try to add any required fonts to the trusted fonts directory. If that’s not possible, then exclude the problem processes or apps by adding the process image name to the registry. For example, if you want to exclude Microsoft Word, add the following value to the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe

In this article, I explained the Untrusted Font Blocking feature in Windows 10, showed you how to enable it, and how to exclude specific processes from the policy using the registry.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.

RSVP Now

Sponsored By