3.2.2.6.2.1.4.5.4 msPKI-RA-Application-Policies
If any OID in this attribute doesn't exist as a KeyPurposeID in Extended Key Usage extension (defined in section 4.2.1.13 of the [RFC3280]) of at least one certificate whose private key was used to sign the certificate request, the CA MUST reject the request and return a non-zero error. The error SHOULD be 0x8009480B (CERTSRV_E_SIGNATURE_REJECTED).