No need to enable Untrusted Font Blocking setting in Windows 10, says Microsoft

With the introduction of Windows 10, Microsoft added a new security feature in its GPO setting for blocking font downloads. Any untrusted fonts outside of the %windir%\Fonts directory, if encountered were blocked instantly. This feature was available for configuration in 3 modes – On, Off and Audit.

No need to enable Untrusted Font Blocking Froup Policy setting now

This Group Policy setting enabled Windows to block font downloads for multiple browsers like Google’s Chrome, Mozilla Firefox, Internet Explorer and others. However, now, there has been a change in the scheme of things. Microsoft has decided to remove the recommendation to enable the “Untrusted Font Blocking” Group Policy setting in:

Computer Configuration > Administrative Templates > System > Mitigation Options.

Microsoft believes that, in Windows 10 v1703, it has other measures in place which render this setting far less important. For example, the risk of handling untrusted fonts in GDI is now acceptably low enough. As such, the costs of font-blocking exceed its benefits. Moreover, running this feature breaks several legitimate scenarios unnecessarily while blocking untrusted fonts.

font blocking

Parsing and rendering font data involves significant complexity, so it is not surprising that font rendering engines have had bugs – particularly when handling font data that does not conform to expected formats. Nor is it surprising that malicious actors target these bugs with malformed font data to deliver exploit code through web pages and document files that support embedded or downloaded fonts. On versions of Windows prior to Windows 10 and Windows Server 2016, that problem has been compounded for programs that use Windows’ graphics device interface (GDI) APIs to load and render fonts. In addition to the threat of remote code execution in a compromised user-mode process, a GDI font rendering bug can also result in kernel-mode execution and local elevation of privilege because most of GDI’s font logic was in Win32k.sys which runs in kernel mode”, mentions Microsoft blog.

An event of blocking downloaded and embedded fonts which count as a shortfall is that many websites rely on them, and blocking them can substantially affect the utility. It is important to note that this block applies only to font-rendering through GDI and not to other user-mode font-rendering engines such as DirectWrite which is used by the Microsoft Edge and Google Chrome web browsers.

Posted by with Tags
Anand Khanse is the Admin of and a 10-year Microsoft MVP Awardee in Windows for the period 2006-16. He enjoys following and reporting Microsoft news and developments in the world of Personal Computing & Social Media.