Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can create indicators for certificates. Some common use cases include:
- Scenarios when you need to deploy blocking technologies, such as attack surface reduction rules but need to allow behaviors from signed applications by adding the certificate in the allowlist.
- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Microsoft Defender Antivirus prevents file executions (block and remediate), and automated investigation and remediation behaves the same.
Before you begin
It's important to understand the following requirements before creating indicators for certificates:
- This feature is available if your organization uses Microsoft Defender Antivirus (in active mode) and cloud-based protection is enabled. For more information, see Manage cloud-based protection. 
- The anti-malware client version must be - 4.18.1901.xor later.
- Supported on machines on Windows 10, version 1703 or later, Windows Server 2012 R2 and later, or Azure Stack HCI OS, version 23H2 and later. - Note - Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the instructions in Onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender for Endpoint for this feature to work. 
- The virus and threat protection definitions must be up to date. 
- This feature currently supports entering .CER or .PEM file extensions. 
Important
- A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities').
- The children or parent of the allow/block certificate IOCs aren't included in the allow/block IoC functionality, only leaf certificates are supported.
- Microsoft signed certificates can't be blocked.
Create an indicator for certificates from the settings page:
Important
It can take up to 3 hours to create and remove a certificate IoC.
- In the navigation pane, select Settings > Endpoints > Indicators (under Rules). 
- Select Add indicator. 
- Specify the following details: - Indicator: Specify the entity details and define the expiration of the indicator.
- Action: Specify the action to be taken and provide a description.
- Scope: Define the scope of the machine group.
 
- Review the details on the Summary tab, and then select Save. 
Related articles
- Create indicators
- Create indicators for files
- Create indicators for IPs and URLs/domains
- Manage indicators
- Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.