Active Directory

Blocking the launch of applications by a certificate in Active Directory does not work, what's the problem?

There is a test domain, in it the division "Accountants" with ten users.
I hang a group policy for blocking application launch by certificate on the unit, for example, I took the Valve certificate from the Steam installer and two certificates from Mail.ru (Amigo and Agent). I update policy, I log in by the client machine under one of these users. Steam is blocked, Agent and Amigo spit on politics from a high bell tower and calmly start.
Modeling the resulting policy on the controller says that the policy should be applied (actually, Steam is blocked).
"gpresult /r" too. And rsop from under the user does not show blocked certificates, as if they did not reach the user (the Valve certificate is also not visible, although it is blocked).
What could be the problem? I know about Applocker, but I'm interested in this particular option, I want to figure out why this is happening.