Information
This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit.
The recommended state for this setting is: Enabled: Block untrusted fonts and log events
Rationale:
Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Block untrusted fonts and log events:
Computer Configuration\Policies\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking
Impact:
Fonts not located in the %windir%\Fonts directory will not be loaded. This setting can temporarily be run in Audit mode ('Log events without blocking untrusted fonts') first to observe if blocking untrusted fonts would cause any usability or compatibility issues.
Default Value:
Off. (No fonts are blocked.)