MDE use of Certificate based IoC not working

The certificate-based Indicator of Compromise (IoC) feature only applies when the Defender cloud protection service performs a reputation check. It is not evaluated by the local real-time scanning engine for every executable on disk. Microsoft’s own documentation states that certificate IoCs are primarily enforced during cloud-based lookups, such as when SmartScreen or the Defender cloud reputation service is triggered during file download or execution from supported Microsoft channels. This means the feature works reliably for files originating from Microsoft Edge, Outlook, or web downloads that go through those reputation checks, but not for files executed directly from disk or installed via third-party browsers like Firefox.

Tests performed in controlled environments confirm this behavior. Even when a certificate is uploaded and set to “Block and remediate,” local execution of a file already present on disk does not trigger a block event because the antivirus engine does not recheck the code signing certificate against the IoC list. Defender’s cloud protection telemetry does not currently cover those local scenarios. Microsoft has an open feature request (tracked internally under MDE feedback threads) to expand this functionality, but as of now, the enforcement scope remains limited to cloud-delivered protection paths rather than local scans. Please hit like if you like the solution.