Mark Austin
June 12th, 2011

Active Directory Group Policy and WMI Filters

The scope of a Group Policy Object (GPO) can be controlled with WMI filters, based on criteria such as operating system version or hardware specifications. A WMI filter consists of one or more queries, and if all queries evaluate to true then the GPO linked to the filter will be applied.

WMI queries are composed using the WMI Query Language (WQL), which is a SQL-like language. Queries can be combined with logical operators and each query is executed against a particular WMI namespace. When you create a query, you must specify the namespace. The default namespace is root\CIMv2, which is appropriate for most WMI queries.

The WMI filter is a separate object from the GPO in the directory. To apply a WMI filter to a GPO, you link the filter to the GPO, which is shown in the WMI filtering section on the scope tab of a GPO in GPMC. A GPO can only have a single WMI filter, but the same WMI filter can be linked to multiple GPOs. WMI filters are evaluated on the target computer and applied whenever a Group Policy update is triggered.

Example 1 – Checking the Operating System Version

The Win32_OperatingSystem class is used to query operating system information. For instance, the following query can be used to check the operating system is Windows 7 or above:

Select * from Win32_OperatingSystem where Version >= 6.1

The above query will also include Windows Server 2008 R2, but we can refine this query and check the ProductType to restrict the query to desktop operating systems:

Select * from Win32_OperatingSystem where Version >= 6.1 and ProductType = 1

ProductType Values

ProductType Values

Example 2 – Checking the System Type

The Win32_ComputerSystem class is used to query the system type. For instance, the following query can be used to check for a mobile system:

Select * from Win32_ComputerSystem where PCSystemType = 2

PCSystemType Values

PCSystemType Values

More from the Blog

Related technology and security insights

  • 13
  • Story related

    WannaCry Ransomware goes global

    On Friday, a cyber attack on an unprecedented scale struck a wide range of organizations in over 99 countries across the globe. The ransomware attack, known as WanaCry or WanaCrypt0r shut down IT systems in NHS hospitals and GP surgeries ...
  • 19
  • The culture shock (Part 2)

    In part 1, I discussed the importance of understanding your company’s culture when embarking on ...