Merged PR 2709: Updated to add Group Policy and clarify the registry steps

2025-06-20 12:53:38 +00:00 · 2017-08-14 20:07:04 +00:00
parent 77c1e78858
commit f5fc54060a
1 changed files with 63 additions and 27 deletions
--- a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md
@ -8,10 +8,13 @@ ms.mktglfcycl: deploy
 ms.pagetype: security
 ms.sitesec: library
 author: eross-msft
+ms.author: lizross
+ms.date: 08/14/2017
 ms.localizationpriority: high
 ---

 # Block untrusted fonts in an enterprise
+
 **Applies to:**

 -   Windows 10
@ -46,19 +49,44 @@ After you turn this feature on, your employees might experience reduced function
 -   Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.

 ## Turn on and use the Blocking Untrusted Fonts feature
+Use Group Policy or the registry to turn this feature on, off, or to use audit mode.
+
+**To turn on and use the Blocking Untrusted Fonts feature through Group Policy**
+1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`.
+
+2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**:
+
+    - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. 
+
+    - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log.
+
+    - **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts.
+
+3. Click **OK**.
+
+**To turn on and use the Blocking Untrusted Fonts feature through the registry**
 To turn this feature on, off, or to use audit mode:

 1.  Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`.

 2.  If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.

-3.  Update the **Value data** of the **MitigationOptions** key, making sure you keep your existing value, like in the important note below:
+3. Right click on the **MitigationOptions** key, and then click **Modify**. 
+
+    The **Edit QWORD (64-bit) Value** box opens.
+
+4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below:

    -   **To turn this feature on.** Type **1000000000000**.
-    -   **To turn this feature off.** Type **2000000000000**.
-    -   **To audit with this feature.** Type **3000000000000**.<p>**Important**<br>Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 

-4.  Restart your computer.
+    -   **To turn this feature off.** Type **2000000000000**.
+
+    -   **To audit with this feature.** Type **3000000000000**.
+
+    >[!Important]
+    >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
+
+4. Restart your computer.

 ## View the event log
 After you turn this feature on, or start using Audit mode, you can look at your event logs for details.
@ -68,27 +96,33 @@ After you turn this feature on, or start using Audit mode, you can look at your
 1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**.

 2. Scroll down to **EventID: 260** and review the relevant events.
-<p>
-**Event Example 1 - MS Word**<br>
-WINWORD.EXE attempted loading a font that is restricted by font loading policy.<br>
-FontType: Memory<br>
-FontPath:<br>
-Blocked: true<p>
-**Note**<br>Because the **FontType** is *Memory*, there’s no associated **FontPath.**
-<p>
-**Event Example 2 - Winlogon**<br>
-Winlogon.exe attempted loading a font that is restricted by font loading policy.<br>
-FontType: File<br>
-FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
-Blocked: true<p>
-**Note**<br>Because the **FontType** is *File*, there’s also an associated **FontPath.**
-<p>
-**Event Example 3 - Internet Explorer running in Audit mode**<br>
-Iexplore.exe attempted loading a font that is restricted by font loading policy.<br>
-FontType: Memory<br>
-FontPath:<br>
-Blocked: false<p>
-**Note**<br>In Audit mode, the problem is recorded, but the font isn’t blocked.
+
+    **Event Example 1 - MS Word**<br>
+    WINWORD.EXE attempted loading a font that is restricted by font-loading policy.<br>
+    FontType: Memory<br>
+    FontPath:<br>
+    Blocked: true
+    
+    >[!NOTE]
+    >Because the **FontType** is *Memory*, there’s no associated **FontPath**.
+
+    **Event Example 2 - Winlogon**<br>
+    Winlogon.exe attempted loading a font that is restricted by font-loading policy.<br>
+    FontType: File<br>
+    FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
+    Blocked: true
+    
+    >[!NOTE]
+    >Because the **FontType** is *File*, there’s also an associated **FontPath**.
+
+    **Event Example 3 - Internet Explorer running in Audit mode**<br>
+    Iexplore.exe attempted loading a font that is restricted by font-loading policy.<br>
+    FontType: Memory<br>
+    FontPath:<br>
+    Blocked: false
+    
+    >[!NOTE]
+    >In Audit mode, the problem is recorded, but the font isn’t blocked.

 ## Fix apps having problems because of blocked fonts
 Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems.
@ -101,12 +135,14 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa

 **To fix your apps by excluding processes**

-1.  On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
+1.  On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`.<br><br>For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.

-2.  Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature).
+2.  Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.

  
+## Related content

+- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)