Remove unused or vulnerable OpenType and TrueType fonts from Windows endpoints and clean stale font registry entries
This Automox Worklet™ removes TrueType and OpenType fonts (.ttf and .otf files) from C:\Windows\Fonts and deletes the matching value entries under HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts. The remediation script handles both file deletion and registry cleanup in a single pass, so the operating system stops trying to load a font that no longer exists on disk.
The Worklet runs in one of two modes. In name-based mode, it searches the system Fonts directory for any file whose name starts with a family name you list in the DesiredFonts parameter. Matching is case-insensitive and prefix-based, so weight and style variants (Bold, Italic, Condensed, Light) are caught alongside the regular face. In payload mode, the Worklet expects one or more ZIP archives staged in the policy execution directory. The script calls Expand-Archive to unpack the archives, filters the extracted .ttf and .otf set against the DesiredFonts list, and removes the matching files and registry entries.
The mode is selected by the usePayload parameter, which accepts true, 1, yes, or y for payload mode and treats anything else as name-based. The evaluation script is idempotent: it reports compliant on any endpoint where the named fonts are absent from both C:\Windows\Fonts and HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts, so the policy can sit on a weekly cadence without changing anything on endpoints that already match the baseline.
Font handling has been a reliable kernel exploit primitive on Windows for more than a decade. Win32k.sys, atmfd.dll, and the OpenType and TrueType parsers have absorbed CVE after CVE, including the ATMFD font-parsing flaws (CVE-2015-2426, CVE-2020-1020) and the Adobe Type Manager remote code execution bug that prompted an out-of-band Microsoft advisory in 2020. Every font installed on an endpoint widens the surface those parsers expose, and most fleets carry dozens of typefaces no business application ever calls. Removing the unused face removes the code path it would otherwise reach.
Proving every Windows endpoint has dropped a deprecated font is the half of the work that usually gets skipped. A central font-removal decision is easy to make; reaching every workstation, every RDS host, and every kiosk to enforce it is the operational cost. Scheduling this Worklet across the Windows estate evaluates the Fonts directory and the HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts registry key on every endpoint in scope, removes the deprecated files where they still exist, and flags any host where a brand asset or unlicensed third-party font has crept back in. The activity log records each removal and each failure for audit review against CIS Windows Benchmark and NIST 800-53 CM-7 controls.
Evaluation phase: The Worklet enumerates C:\Windows\Fonts for any .ttf or .otf file whose name starts with a value in DesiredFonts. It then opens HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts through the Microsoft.Win32.RegistryKey API and checks both value names and value data for the same prefix list. If either source still references a target font, the script emits a match line and exits 2 so the Automox console queues remediation. Endpoints with no matches log 'No specified fonts found' and exit 0.
Remediation phase: The remediation script reads usePayload to choose its path. In name-based mode it iterates the DesiredFonts list, calls the internal Remove-FontFile helper on each matching .ttf or .otf in C:\Windows\Fonts, then calls Remove-FontRegistryEntriesForFamily and Remove-FontRegistryEntriesByValuePrefix to delete the matching registry values with $fontKey.DeleteValue so the loader cache no longer references the file. In payload mode the script calls Expand-Archive on every ZIP in the execution directory, filters the unpacked set against DesiredFonts (base-name exact match or prefix match), and runs the same file and registry cleanup against the filtered list. Per-item failures (locked files, registry handle errors) surface through Write-Warning and set the script exit code to 1; the script still cleans every other file and registry value it can reach in the same run, and the finally block always closes the registry handles.
Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, or Windows Server 2022
Administrative privileges on the endpoint (the default Automox agent context already satisfies this) so the script can write to C:\Windows\Fonts and HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
PowerShell 5.1 or later for Expand-Archive support in payload mode
DesiredFonts parameter: a comma-separated list of font family names (for example Verdana, Comic Sans MS, Wingdings) or base file names without extension. Prefix matching means Verdana removes Verdana, Verdana Bold, Verdana Italic, and Verdana Bold Italic in one pass.
usePayload parameter: true/1/yes/y for ZIP payload mode, false/0/no/n for name-based mode against the existing installed set
For payload mode: one or more ZIP archives staged in the Worklet execution directory containing the .ttf or .otf files that should be removed
After remediation, the named fonts no longer appear in C:\Windows\Fonts and the Settings > Personalization > Fonts page (ms-settings:fonts on Windows 10 and 11) shows the family as uninstalled. Every value name under HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts that pointed at the removed files is gone, so the GDI font cache will not attempt to reload them at next logon. Documents and applications that referenced the removed face render with the Windows fallback family (typically Segoe UI or the application's configured fallback).
Validate the change on a pilot host with two short PowerShell commands. Run Get-ChildItem 'C:\Windows\Fonts' -Filter 'Verdana*' to confirm the files are gone, then Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts' | Format-List Verdana* to confirm no registry values reference the family. The remediation exit code is 0 when every file and registry value was either removed cleanly or already absent, 1 when one or more per-item operations failed, and 2 when the script could not open the registry hive or no DesiredFonts were supplied. Exit code 1 typically indicates a locked font file or a registry permission issue; close the referencing application (or reboot, then rerun) to clear a file lock. Both failure modes surface in the Automox activity log with the Write-Warning context that the script emitted.


Loading...
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in