WMI GPO Filters for Operating System Types
As a standard practice in the environment I support we use WMI filtering on GPOs to ensure a GPO only gets applied to the right operating system type. This can prevent accidents such as applying a client GPO to a server, or a GPO for Server 2003 to a Server 2008 R2 system.
Creating WMI filters can be a pain, so here are the WMI queries that I use which cover a variety of operating systems.
select * from Win32_OperatingSystem WHERE Version LIKE “5.1%”
select * from Win32_OperatingSystem WHERE Version LIKE “6.1%” and ProductType = “1”
Windows Server 2003/R2
select * from Win32_OperatingSystem WHERE Version LIKE “5.2%”
Windows Server 2008
select * from Win32_OperatingSystem WHERE Version LIKE “6.0%” AND ( ProductType = “2” or ProductType = “3” )
Windows Server 2008 R2
select * from Win32_OperatingSystem WHERE Version LIKE “6.1%” AND ( ProductType = “2” or ProductType = “3” )
If you are wondering what the product types are, they are defined by Microsoft and distinguish between a client OS (1), domain controller (2) or member server (3). So you could easily create a filter to only apply to Windows Server 2008 R2 domain controllers, if you wished. Alternatively for 2008/R2 you could use AND ProductType <> “1” if you want something a bit shorter that covers both server product types.
To use these queries, open the GPMC. Expand down until you find the WMI Filters node. Right click on it and select New WMI Filter. Click Add, then paste the query of your choice into the query box. Give the filter a name, then you can apply it to any GPO in your forest.
Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer.
When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows 2000, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied.
WMI makes data about a target computer available for administrative use. Such data can include hardware and software inventory, settings, and configuration information. For example, WMI exposes hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data.
A WMI filter consists of one or more queries based on this data. If all queries are true, the GPO linked to the filter will be applied. The queries are written using the WMI Query Language (WQL), a SQL-like language. Queries can be combined with AND and OR logical operators to achieve whatever effect the administrator wants. Each query is executed against a particular WMI namespace. When you create a query, you must specify the namespace. The default is root\CIMv2, which is appropriate for most WMI queries.
The WMI filter is a separate object from the GPO in the directory. To apply a WMI filter to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one WMI filter, however the same WMI filter can be linked to multiple GPOs.
WMI filters, like GPOs, are stored on a per-domain basis. A WMI filter and the GPO it is linked to must be in the same domain.
- Client support for WMI filters exists only on Windows XP, Windows Server 2003, and later operating systems. Windows 2000 clients will ignore any WMI filter and the GPO is always applied, regardless of the WMI filter.
- WMI filters are only available in domains that have at least one Windows Server 2003 domain controller. In an environment consisting only of Windows 2000 domains, the WMI filter node in Group Policy Management Console (GPMC) is not shown.
Using WMI filters with GPMC
Using GPMC, you can create and delete WMI filters, link and unlink WMI filters, copy and paste WMI filters, import and export WMI filters, and view and edit attributes of WMI filters.
The following table shows sample code for several WMI filters.
Avoid turning on netmon on computers that can have multicasting turned on.
Select * from Win32_NetworkProtocol where SupportsMulticasting = true
Apply policy on all servers located on the East Coast of the United States.
Root\cimv2 ; Select * from win32_timezone where bias =-300
Apply a policy on computers that have a specific hotfix.
Root\cimv2 ; Select * from Win32_QuickFixEngineering where HotFixID = 'q147222'
Assign software only on computers already having either of two software packages.
Root\cimv2;Select * from Win32_Product where name = "MSIPackage1" OR name = "MSIPackage2"
Only target computers running Windows XP Professional.
Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional"
Target only machines that have at least 600 megabytes (MB) available.
Root\CimV2; Select * from Win32_LogicalDisk where FreeSpace > 629145600 AND Description <> "Network Connection"
Make or model
Target Toshiba Tecra models 800 and 810.
Root\CimV2; Select * from Win32_ComputerSystem where manufacturer = "Toshiba" and Model = "Tecra 800" OR Model = "Tecra 810"