Policy

Allow certificates with no extended key usage certificate attribute

Microsoft Windows

Back to Smart CardBack to main
Allow certificates with no extended key usage certificate attribute
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
Windows Components > Smart Card
Supported on
At least Windows Vista

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista

This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. If you enable this policy setting, certificates with the following attributes can also be used to log on with a smart card: - Certificates with no EKU - Certificates with an All Purpose EKU - Certificates with a Client Authentication EKU If you disable or do not configure this policy setting, only certificates that contain the smart card logon object identifier can be used to log on with a smart card.

Internal name
AllowCertificatesWithNoEKU
Policy ID
82e65a6b46f2
Elements
0

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider
Value name
AllowCertificatesWithNoEKU
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider
Value name
AllowCertificatesWithNoEKU
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

This policy has no additional user input fields.