MDE use of Certificate based IoC not working

I have been trying to use MDE IoC with certificates as per the following link: https://learn.microsoft.com/en-us/defender-endpoint/indicator-certificates#create-an-indicator-for-certificates-from-the-settings-page

This is on a demo tenant with full M365 E5 licenses and vulnerability trial enabled just in case. Test devices are:

• windows 11 with latest updates - domain joined and managed by Intune
• MDE onboarded and active with AV
• Network protection in block mode
• Cloud delivered protection enabled
• File hash enabled
• In defender portal - settings - endpoints advanced settings - all options enabled

I am testing with Firefox - the installer and the application .exe after installation.

I have extracted the leaf certificate from both these .exe's using the helpful information in the following link: https://www.linkedin.com/pulse/microsoft-defender-missing-manual-how-actually-create-adair-collins-paiye/

Then uploaded the certs into defender portal - settings - endpoints - IoC - certificates - set to Block and remediate

Issue:

Its been 24h and nothing happens on the client devices. In the defender portal - assets - devices - device timeline - I can see the firefox processes but at no point is the installer or application blocked.

Have I miss understood how the feature works?

Has anyone else managed to get this to work?

Advice appreciated.

Thanks

Warren