WMI or Windows Management Instrumentation is a set of standards from Microsoft that provides user with information status of a Windows machine. Information obtained from WMI can be used to create a condition where a specific action or setting may apply, including Group Policy object. Applying WMI filter to Group Policy allows controlling the scope of policy. When a policy with WMI filter is linked to a computer OU, it will be denied on computers where the WMI query result does not match the defined condition. With this way, the administrator can choose which computers that should receive the policy.
Step by Step Applying WMI Filter to Group Policy
We have a scenario. A domain controller installed in Windows Server 2012 R2 has two client computers, one is running Windows 7 and the other is running Windows 10. Both client computers resides in an OU named Workstations. There is a policy object named “W10 Policy” linked to Workstations OU, which actually intended only for Windows 10 clients. To fulfill that requirement, WMI filter will be applied.
Below are screenshots before WMI filter is applied, that shows “W10 Policy” is applied on both Windows 7 and Windows 10 client computers.
GPresult on Windows 7 before WMI filter applied
GPresult on Windows 10 before WMI filter applied
The step by step to apply WMI filter is actually very simple
1. Create the WMI filter
On Group Policy Management console, right click WMI Filters and select New
2. Adding WMI query
Give appropriate name and description to the WMI filter, in this example the filter name is “Global 10.x”. After that, click Add button to start adding WMI query.
3. Writing WMI query
Select the appropriate namespace and write the query. In this example we’re querying Version attribute inside Operating System class under Win32 provider. You can check this WMI reference from Microsoft for other WMI providers and classes that can be used in the query. Click OK to add the query then save the filter.
4. Apply WMI filter to policy object
Back to Group Policy Management console, click the policy name where we want to apply the WMI filter. Then on the right side, there will be a section named WMI Filtering where we can select the WMI filter that we just created on the drop-down menu.
Verification
Changes will be reflected to clients during periodic policy refresh or manually using command gpupdate /force. When WMI filter applied, the policy will no longer takes effect on client computers that are not matched with the defined condition. To verify, run command gpresult /R /SCOPE COMPUTER on cmd.
As can be seen in screenshot below, in Windows 7 the “W10 Policy” has been taken out from applied policy objects and is now being denied. We can also see the WMI filter name that blocks this policy from being applied, which is “Global 10.x”.
On the other hand, in Windows 10 the policy can still be found under applied policy objects as shown in screenshot below.
This result showed that the defined condition on WMI filter works as expected. There are lots of other attributes that can be used as the condition, such as OS settings, registry, storage, event log, etc, depending on the requirements. And that’s how applying WMI filter to Group Policy can help administrator to gain better control on policy scope.
You may also like -
Arranda Saputra
Latest posts by Arranda Saputra (see all)
- How to Move Documents Folder in Windows 10 - August 31, 2020
- How to Move Desktop Folder in Windows 10 - August 31, 2020
- Restore DHCP Server in Windows Server 2012 R2 - January 9, 2020