Home / Solution / Restricting Group Policy with WMI Filtering

Restricting Group Policy with WMI Filtering

WMI filters in Group Policy (GPO) permit you to extra flexibly apply insurance policies to purchasers through the use of completely different guidelines. A WMI filter is a set of WMI queries (the WMI Query Language / WQL  is used) that you need to use to focus on computer systems to which a selected group coverage must be utilized. For instance, utilizing the WMI GPO filter, you may apply a coverage linked to an OU solely to computer systems working Windows 10 (a coverage with such a WMI filter gained’t apply to computer systems with different Windows variations).

What are the WMI GPO filters used for?

Typically, group coverage filtering utilizing WMI (Windows Management Instrumentation) can be utilized when a number of area objects (customers or computer systems) are situated within the flat AD construction as a substitute of the separate OU, or if you have to apply group insurance policies, in line with the OS model, community settings, put in software program or another standards that may be chosen utilizing WMI. When the shopper processes such a bunch coverage, Windows will examine its state for compliance with the desired WMI question, and if the filter circumstances are met, the GPO might be utilized to this laptop.

WMI group coverage filters first appeared in Windows XP/Server 2003, and can be found up within the latest Windows variations (Windows Server 2019, 2016 and Windows 10, eight.1).

Create a New WMI Filter and Link it to a GPO

To create a brand new WMI filter, open the Group Policy Management console (gpmc.msc and go to Forest -> Domains -> woshub.com -> WMI Filters. This part comprises all WMI filters in tha AD area. Create a brand new WMI filter (New).

Type the filter identify and its description (non-obligatory). To add a WMI question code to the filter, click on the Add button, specify the identify of the WMI namespace (by default, rootCIMv2) and specify the WMI code.

The following WMI question format is used:

Select * from WHERE =

In this instance, I need to create a WMI filter that enables to use GPO solely to computer systems working Windows 10. The WMI question might appears to be like like this:

Select * from Win32_OperatingSystem the place Version like "10.%" and ProductType="1"

The created WMI filters are saved within the msWMI-Som class objects of the Active Directory area within the part DC=…, CN=System, CN=WMIPolicy, CN=SOM, you’ll find and edit them utilizing the adsiedit.msc.

After you might have created a WMI filter, you may hyperlink it to a selected GPO. Find the specified coverage within the GPMC console and on the Scope tab, within the WMI Filtering part drop-down checklist, choose your WMI filter. In this instance, I need to apply the printer task coverage solely to computer systems working Windows 10.

Wait for this coverage to use to purchasers, or replace it manually with the command gpupdate /power. When analyzing the utilized insurance policies on the shopper, use the command. If the coverage impacts the shopper, however doesn’t apply as a result of WMI filter restrictions, such a coverage could have the standing Filtering: Denied (WMI Filter) within the gpresult report.

GPO WMI Filtering Examples

Let’s take a look at numerous examples of WMI GPO filters which can be mostly used.

With the assistance of the WMI filter, you may select the OS kind:

  • ProductType=1 – any desktop Windows version;
  • ProductType=2 – Active Directory area controller;
  • ProductType=three – Windows Server.

Windows variations:

  • Windows Server 2016 and Windows 10 — 10.%
  • Windows Server 2012 R2 and Windows eight.1 — 6.three%
  • Windows Server 2012 and Windows eight — 6.2%
  • Windows Server 2008 R2 and Windows 7 — 6.1%
  • Windows Server 2008 and Windows Vista — 6.zero%
  • Windows Server 2003 — 5.2%
  • Windows XP — 5.1%
  • Windows 2000 — 5.zero%

You can mix circumstances in a WMI question utilizing the logical operators AND and OR. To apply the coverage solely to servers working Windows Server 2016, the WMI question code might be as follows:

choose * from Win32_OperatingSystem WHERE Version LIKE "10.%" AND (ProductType = "2" or ProductType = "three" )

To choose 32-bit variations of Windows eight.1:

choose * from Win32_OperatingSystem WHERE Version like "6.three%" AND ProductType="1" AND OSArchitecture = "32-bit"

To apply the GPO to 64-bit OS solely:

Select * from Win32_Processor the place AddressWidth = "64"

You can choose Windows 10 with a selected construct quantity, for instance Windows 10 1803:

choose Version from Win32_OperatingSystem WHERE Version like “10.zero.17134” AND ProductType=”1″

Apply coverage to VMWare digital machines solely:

SELECT Model FROM Win32_ComputerSystem WHERE Model = “VMWare Virtual Platform”

Apply coverage solely to laptops (see the article ):

choose * from Win32_SystemEnclosure the place ChassisTypes = "eight" or ChassisTypes = "9" or ChassisTypes = "10" or ChassisTypes = "11" or ChassisTypes = "12" or ChassisTypes = "14" or ChassisTypes = "18" or ChassisTypes = "21"

WMI filter, which applies solely to computer systems whose names start with “lon-pc“(for instance on these units):

SELECT Name FROM Win32_ComputerSystem WHERE Name LIKE ‘lon-pc%’

Another instance of utilizing a WMI filter for focusing on GPO to an IP subnets is described within the article . For instance, to use a coverage to purchasers within the a number of IP subnets, use the WMI question:

Select * FROM Win32_IP4RouteTable WHERE (Mask='255.255.255.255' AND (Destination Like 10.1.1.%' OR Destination Like '10.1.2.%'))

To choose solely units with the RAM over 1 GB:

Select * from WIN32_ComputerSystem the place TotalPhysicalMemory >= 1073741824

WMI filter to verifythat Internet Explorer 11 is put in:

SELECT path,filename,extension,model FROM CIM_DataFile WHERE path="Program RecordsdataInternet Explorer" AND filename="iexplore" AND extension="exe" AND model>"11.zero"

Test GPO WMI Filters utilizing PowerShell

When creating WMI queries, typically you have to get the values of varied WMI parameters on the pc. You can get this information utilizing the Get-WMIObject cmdlet. For instance, I must show the WMI attributes and values of the Win32_OperatingSystem class:

Get-WMIObject Win32_OperatingSystem

SystemDirectory : C:WINDOWSsystem32
Organization    :
BuildNumber     : 17134
RegisteredUser  : Windows User
SerialNumber    : 00331-10000-00001-AA146
Version         : 10.zero.17134

To show all out there class properties:

Get-WMIObject Win32_OperatingSystem| Select *

You can use the PowerShell to check WMI filters on a pc. Suppose you might have written a posh WMI question and need to examine does the pc match this question or not. For instance, you created a WMI filter to examine for the IE 11 on a pc.  You can take a look at this WMI question on the goal laptop utilizing the get-wmiobject cmdlet:
get-wmiobject -query 'SELECT * FROM CIM_DataFile WHERE path="Program RecordsdataInternet Explorer" AND filename="iexplore" AND extension="exe" AND model LIKE "11.%"'

If this command returns one thing, then the pc meets the question circumstances. If the get-wmiobject command returns nothing, the pc doesn’t match the WMI filter question.
For instance, working the desired command on a pc with Windows 10 and IE 11, the command will return:

Compressed : False
Encrypted  : False
Size       :
Hidden     : False
Name       : c:program filesinternet exploreriexplore.exe
Readable   : True
System     : False
Version    : 11.zero.17134.1
Writeable  : True

This implies that IE 11 is put in on the pc and a GPO with such a WMI filter might be utilized to this laptop.

So, we checked out use WMI filters to use GPOs solely to computer systems that meet the completely different WMI queries. It is important to consider the presence of WMI filters when analyzing the explanations for which the sure GPO is just not utilized on the pc.

Check Also

Windows Server Licensing for Virtual Environments

In this text, we’ll look on licensing options of the Windows Server 2019, 2016 and …

Leave a Reply

Your email address will not be published. Required fields are marked *