Applying WMI Filter to Group Policy

Spread the love




WMI or Windows Management Instrumentation is a set of standards from Microsoft that provides user with information status of a Windows machine. Information obtained from WMI can be used to create a condition where a specific action or setting may apply, including Group Policy object. Applying WMI filter to Group Policy allows controlling the scope of policy. When a policy with WMI filter is linked to a computer OU, it will be denied on computers where the WMI query result does not match the defined condition. With this way, the administrator can choose which computers that should receive the policy.

Step by Step Applying WMI Filter to Group Policy

We have a scenario. A domain controller installed in Windows Server 2012 R2 has two client computers, one is running Windows 7 and the other is running Windows 10. Both client computers resides in an OU named Workstations. There is a policy object named “W10 Policy” linked to Workstations OU, which actually intended only for Windows 10 clients. To fulfill that requirement, WMI filter will be applied.

Applying WMI Filter to Group Policy - 1

Below are screenshots before WMI filter is applied, that shows “W10 Policy” is applied on both Windows 7 and Windows 10 client computers.

GPresult on Windows 7 before WMI filter applied



Applying WMI Filter to Group Policy - 2

GPresult on Windows 10 before WMI filter applied

Applying WMI Filter to Group Policy - 3

The step by step to apply WMI filter is actually very simple

1. Create the WMI filter
On Group Policy Management console, right click WMI Filters and select New

Applying WMI Filter to Group Policy - 4

2. Adding WMI query
Give appropriate name and description to the WMI filter, in this example the filter name is “Global 10.x”. After that, click Add button to start adding WMI query.

Applying WMI Filter to Group Policy - 5

3. Writing WMI query
Select the appropriate namespace and write the query. In this example we’re querying Version attribute inside Operating System class under Win32 provider. You can check this WMI reference from Microsoft for other WMI providers and classes that can be used in the query. Click OK to add the query then save the filter.

Applying WMI Filter to Group Policy - 6

4. Apply WMI filter to policy object
Back to Group Policy Management console, click the policy name where we want to apply the WMI filter. Then on the right side, there will be a section named WMI Filtering where we can select the WMI filter that we just created on the drop-down menu.

Applying WMI Filter to Group Policy - 7

Verification

Changes will be reflected to clients during periodic policy refresh or manually using command gpupdate /force. When WMI filter applied, the policy will no longer takes effect on client computers that are not matched with the defined condition. To verify, run command gpresult /R /SCOPE COMPUTER on cmd.

As can be seen in screenshot below, in Windows 7 the “W10 Policy” has been taken out from applied policy objects and is now being denied. We can also see the WMI filter name that blocks this policy from being applied, which is “Global 10.x”.

Applying WMI Filter to Group Policy - 8

On the other hand, in Windows 10 the policy can still be found under applied policy objects as shown in screenshot below.

Applying WMI Filter to Group Policy - 9

This result showed that the defined condition on WMI filter works as expected. There are lots of other attributes that can be used as the condition, such as OS settings, registry, storage, event log, etc, depending on the requirements. And that’s how applying WMI filter to Group Policy can help administrator to gain better control on policy scope.

 




The following two tabs change content below.

Arranda Saputra

ITIL Certified, CCNA, CCDA, VCP6-DCV, MCSA Administering Windows Server 2012
I am IT practitioner in real life with specialization in network and server infrastructure. I have years of experience in design, analysis, operation, and optimization of infrastructure solutions for enterprise-scaled network. You can send me a message on LinkedIn or email to arranda.saputra@outlook.com for further inquiry regarding stuffs that I wrote or opportunity to collaborate in a project.

Latest posts by Arranda Saputra (see all)

scroll to top