I recently worked on an issue where all Windows 10 users were seeing two strange display issues on certain websites via Internet Explorer 11 and Edge. There were two noticeable symptoms:
- Chinese characters would show in particular locations on many websites. These were often buttons, but sometimes other symbols.
- Buttons would be completely blank. The buttons themselves worked, which you could either use if they had a graphical representation of the button still, or you knew where to click.
This was even presenting itself in Office 365 – I couldn’t see the Notifications, Settings or Help buttons, and they would instead show as blank boxes.
This was found while piloting Windows 10 from Windows 7. The visible options in Internet Explorer seemed identical. and other browsers weren’t affected – Chrome could display these sites perfectly fine.
I worked out what the problem and fix was (jump to the end if you want that now), but here’s the story on how we got to this broken state:
As part of prepping for Windows 10, I followed Microsoft’s Security Baseline documentation which contains a handy Excel spreadsheet, with recommendations on what Group Policy settings you should use for best security practises. I followed this (I’ve linked to a newer version) and made choices based on understanding each option, and what worked for us. There were very few settings I didn’t follow exactly.
One of these settings was ‘Untrusted Font Blocking‘. The document recommended enabling this, to stop untrusted fonts being used as they’re a security risk – the loading of a font can allow elevated privileges, and has been used before. Made sense to me, so I enabled it.
This is what Group Policy says about Untrusted Font Blocking:
This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.
Eventually with a lot of testing and googling, I tried disabling this option – and it worked. Once you know the fix to a problem, it’s really easy to work backwards to find out more about it.
It turns out that in simple terms, websites can present their own fonts to use. It may be easier to present an arrow that’s from a font, rather than making a graphic of a font. Usually the site will load the font on the fly, but blocking that means the site fails back to a ‘best match’ on the font, which seems to be a font for Chinese characters, or a font that has a blank character for the matched result. Makes sense.
Microsoft changed their mind on this recommendation, only a month ago from time of writing. That recommendation change is worth reading, as it explained why they did it, and why they’re now changing their mind. The good news is that you’re not losing security by abandoning this setting, as the way fonts are parsed has changed from kernel to sandboxed user mode.
Turn off Untrusted Font Blocking through either of these methods:
Group Policy – Disable or change to Not Configured: Computer Configuration > Policies > Administrative Templates > System > Mitigation Options > Untrusted Font Blocking
Registry Setting – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ – QWORD MitigationOptions
- To turn this feature on. Type 1000000000000.
- To turn this feature off. Type 2000000000000.
- To audit with this feature. Type 3000000000000.Important
Your existing MitigationOptions values should be saved during your update. For example, if the current value is 1000, your updated value should be 1000000001000