You can enable untrusted font blocking in Windows to restrict applications from loading outside fonts. Here’s how to block untrusted fonts.
In Windows, whether you download fonts from an external source like Google Fonts or from Microsoft Store, you install fonts with just a few clicks. Every font installed in your system is, by default, available to all the programs. This makes it so that you can use the font of your choice in any application.
Most applications use the already available fonts in your system to display text. However, some applications will include their own fonts and use those fonts to display the text. Generally, these fonts are loaded directly by the applications. i.e, they are not installed in your system or installed outside the regular Windows font directory (C:\Windows\Fonts). Any fonts that are installed outside the Windows font directory or not uninstalled yet used by the application are called as untrusted fonts.
If you don’t want Windows to run untrusted fonts, you can force it to block those fonts. In this quick guide, let me show you the way to enable untrusted font blocking to block untrusted fonts in Windows 10.
Jump to:
Enable Untrusted Font Blocking GPO
Windows 10 Pro edition has a dedicated group policy object to block untrusted fonts. All you have to do is enable the policy and you are done.
1. Open Group Policy Editor by searching for “Edit group policy” in the start menu. After opening it go to the following folder by expanding the folder structure on the left panel.
Computer Configuration → Administrative Templates → System → Mitigation Options
2. Now, find the “Untrusted Font Blocking” policy on the right panel and double-click on it to open its properties.
3. In the settings window, select the “Enabled” option and then choose “Block untrusted fonts and log events” option from the Mitigate Options section. Click on the “Ok” button to save changes.
(Alternative) If needed, you can just log the untrusted font access events without blocking them. To do that, select the “Log events without blocking untrusted fonts” option. You can find these events in the Event Viewer.
4. Finally, close the Group Policy Editor and either force update group policies or reboot Windows to apply the policy changes.
That is it. From now on, Windows will not allow any applications to load or run untrusted fonts. If you want to revert back and allow untrusted fonts, follow the same steps but select “Not Configured” or “Disabled” in step 3.
via Registry Editor
Windows 10 Home users can use the registry editor to block untrusted fonts. Though not as easy as the Group Policy method, it is still pretty easy. Just back up the registry and follow the steps as is and you will good.
1. First, open the Registry Editor by searching for it in the start menu. Next, copy the path shown below, paste it in the address bar and press Enter.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions
Note: If you cannot find the “MinigationOptions” folder, create one by right-clicking on the “Windows NT” folder and select “New → Key”.
2. RIght-click on the “MinigationOptions” folder and select the “New → String Value” option. Name the value as “MitigationOptions_FontBocking“.
3. Next, double-click on the value you just created. Type “1000000000000” in the Value data field and click on the “Ok” button.
(Alternative) If you don’t want to block but just audit the untrusted fonts, type “3000000000000” in the Value Data field. You can find these events in the Event Viewer.
4. Close the registry editor and reboot Windows to apply the changes.
That is it. After restarting the system, Windows will no longer allow untrusted fonts to run. If you want to reverse the process, simply delete the “MitigationOptions_FontBocking” value and you are done.
I hope that helps. If you are stuck or need some help, comment below and I will try to help as much as possible. If you like this article do check out how to backup all fonts in Windows.
