Untrusted Font Blocking
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
System > Mitigation Options
Supported on
At least Windows Server 2016, Windows 10

Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016

This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.

Internal name
FontMitigation
Policy ID
6b746980d65e
Elements
1

Registry values

How enabled and disabled states update the registry.

No explicit registry values are set for enabled or disabled states.

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
Mitigation Options
ID FontMitigation_DL
enum
Path
SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions
Value name
MitigationOptions_FontBocking
Type
REG_SZ
Options: Block untrusted fonts and log events (1000000000000), Do not block untrusted fonts (2000000000000), Log events without blocking untrusted fonts (3000000000000)
Mitigation Options
Computer · Type enum
Registry mapping
Path
SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions
Value name
MitigationOptions_FontBocking
Type
REG_SZ
Details
Options: Block untrusted fonts and log events (1000000000000), Do not block untrusted fonts (2000000000000), Log events without blocking untrusted fonts (3000000000000)