- On. Helps stop any font being loaded that is processed by using GDI and is installed outside the %windir/Fonts% directory. It also turns on event logging.
- Audit. Turns on event logging, but does not block fonts from loading, regardless of location. The names of the applications that use untrusted fonts appear in your event log.
Note If you are not ready to deploy this feature in your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
- Exclude apps to load untrusted fonts. You can exclude specific applications. It allows them to load untrusted fonts, even when the feature is turned on.
- Sending a print job to a shared printer server that uses this feature and where the spooler process has not been specifically excluded. In this situation, any fonts that are not already available in the server's %windir%/Fonts folder will not be used.
- Printing using fonts provided by the installed printer's graphics .dll file, outside the %windir%/Fonts folder. For more information, see Introduction to Printer Graphics DLLs.
- Using first or third-party apps that use memory-based fonts.
- Using Internet Explorer to view websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all the characters, so the website might render differently.
- Using desktop Office to view documents that have embedded fonts. In this situation, content is displayed by using a default font picked by Office.
Using Group Policy
- Open Local Group Policy Editor.
- Under Local Computer Policy, expand Computer Configuration, expand Administrative Templates, expand System, and then click Mitigation Options.
- In the Untrusted Font Blocking setting, you can see the following options:
- Block untrusted fonts and log events
- Do not block untrusted fonts
- Log events without blocking untrusted fonts
Using Registry Editor
- Open Registry Editor (regedit.exe) and go to the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\
- If the MitigationOptions key is not there, right-click and add a new QWORD (64-bit) Value, naming it as MitigationOptions.
- Update the Value data of the MitigationOptions key, and make sure that you keep your existing value, like the important note below:
- To turn this feature on. Type 1000000000000.
- To turn this feature off. Type 2000000000000.
- To audit with this feature. Type 3000000000000.
Important Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000.
- Restart your computer.
Article ID: 3053676 - Last Review: 24 Apr 2015 - Revision: 1