EKU filtering

This policy setting allows you to specify enhanced key usage (EKU) values to be used in filtering a list of digital certificates for signing Excel, PowerPoint, and Word documents. An enhanced key usage (EKU) extension to a digital certificate is a collection of one or more values that indicate how a certificate should be used. Examples of EKU values include Smart Card Logon and Client Authentication. EKU filtering allows you to filter the list of installed certificates that can be used for digitally signing documents. The filtered list will appear when users attempt to select a certificate for digitally signing a document.

If you enable this policy setting, you can specify a list of object identifiers (OIDs) that represent acceptable EKUs for certificates used in conjunction with signed documents. For example, for a certificate with the Encrypting File System ( identifier, the OID is This list of appropriate OIDs will vary according to the specific certificates that the organization uses. For a list of object IDs associated with Microsoft cryptography, see Microsoft Knowledge Base article 287547, "Object IDs associated with Microsoft cryptography" at http://officeredir.microsoft.com/r/rlidGPOIDAndCrypt2O14?clid=1033.

If you disable or do not configure this policy setting, EKU filtering is not available.

Supported on: At least Windows 7

Registry Pathsoftware\policies\microsoft\office\16.0\common\signatures
Value Namefilterdigitalsignaturecerteku
Value TypeREG_SZ
Default Value


Administrative Templates (Computers)

Administrative Templates (Users)