How to Enable or Disable the use of Untrusted Fonts in Windows 11

This post explains how to block or unblock untrusted fonts in Windows 11.

Fonts that you install with Windows are stored in the C:\Windows\Fonts folder. You can also add fonts by dragging font files from the extracted files folder into this folder.

Untrusted fonts are any font installed outside of the %windir%/Fonts directory. 

To help protect your computer from attacks that may originate from untrusted or attacker-controlled font files, Microsoft created the Blocking Untrusted Fonts feature.

Below is how to enable or disable using untrusted fonts in Windows 11.

Enable or disable the use of untrusted fonts

As described above, blocking untrusted fonts will protect your computer against attackers using font files to take over your computer.

There are three ways to control untrusted fonts in Windows:

Mode Description
On Helps stop any font processed using GDI from loading outside of the %windir%/Fonts directory. It also turns on event logging.
Audit Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.
Exclude apps to load untrusted fonts You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on

Use the Local Group Policy Editor

To use the Local Group Policy Editor to enable or disable untrusted fonts, open the Local Group Policy Editor.

Then go to Computer Configuration -> Administrative Templates -> System -> Mitigation Options.

Computer Configuration -> Administrative Templates -> System -> Mitigation Options

Then, in the Mitigation Options details pane on the right, locate and double-click the “Untrusted Font Blocking ” setting. “

Windows untrusted font blocking local group policy editor
Windows untrusted font blocking local group policy editor

On the Untrusted Font Blocking window, select Not ConfigureEnabled, or Disabled.

  • Not Configured (default) – no fonts are blocked.
  • Enabled
    • Block untrusted fonts and log events.
    • Do not block untrusted fonts.
    • Log event without blocking untrusted fonts.
  • Disabled – Same as Not Configured – no fonts are blocked.
Windows untrusted font blocking local group policy editor options
Windows untrusted font blocking local group policy editor options

Make your selection and save your changes, then exit.

Use the Windows Registry Editor

Another way to control the use of untrusted fonts in Windows is to use the Windows Registry Editor.

If you can’t open the Local Group Policy Editor, use the Windows Registry editor instead.

Open the Windows Registry, and navigate to the folder key path below.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions

If you don’t see the MitigationOptions folder key, right-click on the Windows NT key, then create the subkey (MitigationOptions) folders.

Windows untrusted font blocking registry editor
Windows untrusted font-blocking registry editor

Right-click the MitigationOptions folder key’s right pane and select New -> DWORD (32-bit) Value. Type a new key named MitigationOptions_FontBocking.

Double click the new key item name (MitigationOptions_FontBocking) and make sure the Base option is Hexadecimal, and then update the Value data, making sure you keep your existing value:

  • To turn this feature on. Type 1000000000000.
  • To turn this feature off. Type 2000000000000.
  • To audit with this feature. Type 3000000000000.
Windows untrusted font blocking registry editor value data
Windows untrusted font blocking registry editor value data

Save your changes and restart your computer.

That should do it!

Reference:

Conclusion:

This post showed you how to enable or disable using untrusted fonts in Windows 11. If you find any errors above or have something to add, please use the comment form below.