What is the purpose of Cobalt Strike's blockdlls feature and how does it protect child processes?

Cobalt Strike's blockdlls feature restricts child processes to only load DLLs signed by Microsoft, preventing third-party security software from injecting DLLs and disabling hooks. As detailed in Analysis of Cobalt Strike's blockdlls Exploitation, it uses the `PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON` policy via the `STARTUPINFOEX` structure to enforce this restriction at process creation.