How to configure WMI filters for Group Policy to better manage your Windows clients

Using the Windows Management Infrastructure framework, Windows admins can create filters that apply GPOs in creative ways to provide more granularity over system management in Active Directory.

Businessman explaining the plan

Image: iStockphoto/BongkarnThanyakij

Admins tasked with managing Windows clients of all sizes have long known the virtues of implementing Group Policy to manage software and security settings to lock down devices on corporate networks. The flexibility of being able to centrally manage clients by applying policies to devices joined to an Active Directory (AD) domain allows IT pros to get as holistic or granular in their management of devices as necessary.

Due to their intertwined nature, much of the how, when, and why policies get applied will depend on the design structure of the AD schema and how devices are stored within the organizational units. However, despite our best efforts, admins at one time or another encounter scenarios that require a setup that the existing design structure does not allow for. Other times—such as in larger forests—policies may only need to be deployed to all devices that meet specific requirements with others that do not meet these requirements, effectively ignoring such a policy.

For instances such as these, or those that require a bit more granularity when deploying to targeted systems or groups of systems, a Windows Management Instrumentation (WMI) filter will be your best choice. By creating a customized filter and assigning it to one or more policies, this will ensure that the respective policies will only act upon devices meeting the criteria expressly stipulated in the filter—regardless of where that policy is linked within the hierarchy.

SEE: How to choose between Windows, macOS, and Linux (free PDF) (TechRepublic)

Below I've illustrated a few scenarios where WMI filters serve as an effective manner with which to deploy a policy to a targeted group of devices with minimal administrative effort. Additionally, once WMI filters have been created, they can be accessed and reused as needed.

Requirements for creating our custom filters

Server running Windows Server 2008 R2 or later and the following roles:

  • Active Directory Domain Services
  • PC running Windows 7 or later
  • Remote Server Administration Tools for Windows
  • Domain Admin credentials

How to create a filter that targets 64-bit OSs only

  1. Launch the Group Policy Management Console (GPMC). Change the domain controller (if necessary) that you wish to create the WMI filter on. Expand the Domains | Domain name | WMI Filters nodes.
  2. Right-click the root of the WMI Filters node, then click New from the context menu to bring up the window to create a new filter.
  3. In the Name text box, enter a descriptive name of what the purpose of the filter is. Additionally, in the Description text box, you may optionally enter a more detailed description of what actions the WMI filter will provide.
  4. Click the Add button to populate the Namespace entry. By default, the root\CIMv2 namespace will be added. Depending on the intended action of the WMI filter, this may or may not change. For the purposes of this exercise, let's leave it as is.
  5. We will be modifying the query that is the logic that will be run against the namespace to create our filtering capability. In this case, in the Query text box, enter the following query:
select * from Win32_OperatingSystem where OSArchitecture = "64-Bit"

6. Click the OK button to save the query, then click the Save button to save the filter.

How to create a filter that targets Server OSs only

1. Follow steps 1-4 for creating a filter that targets 64-bit OSs only (above). Enter the following query:

select * Win32_OperatingSystem where Version like "10.0%" and ProductType ="3"

2. Click the OK button to save the query, then click the Save button to save the filter.

How to create a filter that targets a specific make/model computer only

1. Follow steps 1-4 in the previous section. Enter the following query:

select * Win32_ComputerSystem where Manufacturer = "Hewlett-Packard" and Model = "HP ProBook 640 G2" or Model = "HP ProBook 640 G3"

2. Click the OK button to save the query, then click the Save button to save the filter.

How to apply WMI filters to Group Policy Objects (GPOs)

  1. From the GPMC, navigate to an OU where you have the desired GPO linked.
  2. Click on the GPO to view its properties. Under the Scope tab, scroll down to the bottom of the window under the WMI Filtering headline.
  3. By default, the drop-down menu should be set to <None>. Click on it to reveal any WMI Filters that have been created for that domain and select the filter you wish to add to the policy to enable it.

Once you get the hang of creating filters and applying them to perform specific tasks on targeted systems, you can begin to link and chain WMI queries together to form granular filters that drill down to specific devices for nearly endless management scoping capabilities.

Also see