Windows - System Preferences - Remove Fonts

What the font removal Worklet does

This Automox Worklet™ removes TrueType and OpenType fonts (TTF and OTF files) from Windows endpoints and eliminates all associated registry entries. The Worklet supports two operating modes: direct font-family removal by name or extraction-based removal using ZIP payload files.

In name-based mode, the Worklet searches the system font directory (%WINDIR%\Fonts) for any font files starting with the specified family name and removes them with case-insensitive matching. The Worklet also scans the Windows font registry (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts) and deletes all matching entries to prevent the operating system from attempting to load removed fonts.

In payload mode, the Worklet extracts ZIP archives containing font files, filters them to only those matching the specified font names, and removes the extracted fonts along with their registry entries. Both modes handle font variants (such as bold, italic, or condensed versions) through prefix matching.

Why remove unused fonts from your endpoints

Removing unnecessary fonts reduces endpoint disk space and decreases system resource usage during font enumeration. This is particularly valuable in standardized endpoint environments where specific fonts are required for branded applications or compliance reasons.

Font cleanup also improves system consistency across your fleet. When endpoints have different font sets, printing and document display can produce unexpected results. Standardizing fonts eliminates these compatibility issues so that documents render consistently regardless of which endpoint opens them.

Some security frameworks require endpoint standardization to reduce the attack surface. Removing unused fonts limits the system's font engine exposure and reduces the number of components that could potentially be exploited. Removing fonts associated with deprecated applications also prevents accidental use of legacy software resources.

How font removal works

1. Evaluation phase: The Worklet checks %WINDIR%\Fonts for any installed files matching the specified font family names. It also queries HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts to detect font registry entries. If any matching fonts are found, the Worklet flags the endpoint as non-compliant and remediation is required.

2. Remediation phase: The Worklet uses the operating mode specified (name-based or payload) to identify target fonts. In name-based mode, it removes font files from the Fonts directory and deletes all matching registry entries. In payload mode, it extracts ZIP files, filters fonts to those matching the specified names, removes the files, and cleans related registry entries. The Worklet operates idempotently, meaning it succeeds if fonts are already removed.

Font removal requirements

• Windows 10, Windows 11, Windows Server 2016, or later

• Administrative privileges to modify font files in %WINDIR%\Fonts and access the Windows font registry key

• DesiredFonts parameter: Specify font family names (e.g., "Verdana") for name-based mode or font file base names without extension for payload mode

• For payload mode: ZIP archive(s) containing the font files to be removed, placed in the Worklet execution directory

• usePayload parameter: Set to true/1/yes/y when using payload mode, or false/0/no/n for name-based mode

Expected font removal state

After remediation, the specified fonts will no longer exist in %WINDIR%\Fonts. Windows will not list them in the fonts control panel, and applications cannot access them. All registry entries under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts that reference the removed fonts will be deleted. Any applications that depend on the removed fonts will display using the system fallback font instead.

You can verify successful removal by opening the Fonts control panel or by running PowerShell to query the font registry key. The Worklet completes successfully whether or not fonts were present on the endpoint, making it safe to apply repeatedly across your fleet. If the Worklet encounters errors during file removal (such as files locked by running applications), it reports the failure but continues attempting to clean registry entries.

How to validate remove fonts changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for remove fonts.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Out-String, Write-Warning, Write-Error.

4. Validate remediation effects from script operations such as Expand-Archive, Out-String, Write-Error, then rerun evaluation for compliance.