Skip to content

WMI GPO Filters for Operating System Types


 

As a standard practice in the environment I support we use WMI filtering on GPOs to ensure a GPO only gets applied to the right operating system type. This can prevent accidents such as applying a client GPO to a server, or a GPO for Server 2003 to a Server 2008 R2 system.
Creating WMI filters can be a pain, so here are the WMI queries that I use which cover a variety of operating systems.
Windows XP
select * from Win32_OperatingSystem WHERE Version LIKE “5.1%”
Windows 7
select * from Win32_OperatingSystem WHERE Version LIKE “6.1%” and ProductType = “1”
Windows Server 2003/R2
select * from Win32_OperatingSystem WHERE Version LIKE “5.2%”
Windows Server 2008
select * from Win32_OperatingSystem WHERE Version LIKE “6.0%” AND ( ProductType = “2” or ProductType = “3” )
Windows Server 2008 R2
select * from Win32_OperatingSystem WHERE Version LIKE “6.1%” AND ( ProductType = “2” or ProductType = “3” )
If you are wondering what the product types are, they are defined by Microsoft and distinguish between a client OS (1), domain controller (2) or member server (3). So you could easily create a filter to only apply to Windows Server 2008 R2 domain controllers, if you wished. Alternatively for 2008/R2 you could use AND ProductType <> “1” if you want something a bit shorter that covers both server product types.
To use these queries, open the GPMC. Expand down until you find the WMI Filters node. Right click on it and select New WMI Filter. Click Add, then paste the query of your choice into the query box. Give the filter a name, then you can apply it to any GPO in your forest.

WMI filtering

Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer.

When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows 2000, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied.

WMI makes data about a target computer available for administrative use. Such data can include hardware and software inventory, settings, and configuration information. For example, WMI exposes hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data.

A WMI filter consists of one or more queries based on this data. If all queries are true, the GPO linked to the filter will be applied. The queries are written using the WMI Query Language (WQL), a SQL-like language. Queries can be combined with AND and OR logical operators to achieve whatever effect the administrator wants. Each query is executed against a particular WMI namespace. When you create a query, you must specify the namespace. The default is root\CIMv2, which is appropriate for most WMI queries.

The WMI filter is a separate object from the GPO in the directory. To apply a WMI filter to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one WMI filter, however the same WMI filter can be linked to multiple GPOs.

WMI filters, like GPOs, are stored on a per-domain basis. A WMI filter and the GPO it is linked to must be in the same domain.

Notes

  • Client support for WMI filters exists only on Windows XP, Windows Server 2003, and later operating systems. Windows 2000 clients will ignore any WMI filter and the GPO is always applied, regardless of the WMI filter.
  • WMI filters are only available in domains that have at least one Windows Server 2003 domain controller. In an environment consisting only of Windows 2000 domains, the WMI filter node in Group Policy Management Console (GPMC) is not shown.

Using WMI filters with GPMC

Using GPMC, you can create and delete WMI filters, link and unlink WMI filters, copy and paste WMI filters, import and export WMI filters, and view and edit attributes of WMI filters.

Sample code

The following table shows sample code for several WMI filters.

Criterion
Administrator’s intent
WMI filter

Configuration

Avoid turning on netmon on computers that can have multicasting turned on.

Copy Code

Select * from Win32_NetworkProtocol where SupportsMulticasting = true

Time zone

Apply policy on all servers located on the East Coast of the United States.

Copy Code

Root\cimv2 ; Select * from win32_timezone where bias =-300

Hotfix

Apply a policy on computers that have a specific hotfix.

Copy Code

Root\cimv2 ; Select * from Win32_QuickFixEngineering where HotFixID = 'q147222'

Software inventory

Assign software only on computers already having either of two software packages.

Copy Code

Root\cimv2;Select * from Win32_Product where name = "MSIPackage1" OR name = "MSIPackage2"

Operating system

Only target computers running Windows XP Professional.

Copy Code

Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional"

Resources

Target only machines that have at least 600 megabytes (MB) available.

Copy Code

Root\CimV2; Select * from Win32_LogicalDisk where FreeSpace > 629145600 AND Description <> "Network Connection"

Make or model

Target Toshiba Tecra models 800 and 810.

Copy Code

Root\CimV2; Select * from Win32_ComputerSystem where manufacturer = "Toshiba" and Model = "Tecra 800" OR Model = "Tecra 810"
6 Comments Post a comment
  1. If you’re going to do it too then I’m not doing it!
    There’s no sense coming up with the same thing again.

    2013/05/14
  2. I every time spent my half an hour to read this weblog’s posts every day along with a mug of coffee.

    2013/05/27
  3. You are so awesome! I do not suppose I have read through a
    single thing like this before. So good to discover another person with some original thoughts on this issue.

    Really.. many thanks for starting this up. This site is one thing that’s needed on the internet, someone with some originality!

    2013/06/14
  4. Undeniably believe that which you stated. Your favorite reason appeared to be on the internet the easiest thing to be aware of.
    I say to you, I definitely get irked while people think about worries that they just don’t know about. You managed to hit the nail upon the top as well as defined out the whole thing without having side-effects , people could take a signal. Will likely be back to get more. Thanks

    2013/07/05
  5. Many thanks[…]There are some invtrmaoife points in this article but I don’t know should you decide see all of these properly. There can be some credibility but I am going to hold my opinion until I investigate into it further. Good post , thanks and we want a l

    2013/07/26
  6. Very nice article. I definitely love this site. Keep it up!

    2014/03/19

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: