Applying a WMI filter to our GPO

Let's work together to apply WMI filters to some of our existing GPOs. I have the need to treat the Windows Firewall rules differently based upon whether a machine is a laptop, or is not a laptop. Effectively, I want my laptops to have some specific firewall settings and rules that I have defined inside a GPO called Set Firewall Rules for Laptops. On the flip side, any machine in my network that is not a laptop doesn't need the Windows Firewall running at all, so I have a second GPO named Disable Windows Firewall.

I could accomplish this scenario by using an AD Security Group and the GPO Security Filtering section, but that means I need to create the group and then add all of my laptop computers into that group. Sounds like a pain. I could also do some really creative things with WMI to make it self-identify the hardware and probably determine what is or is not a laptop purely from the WMI side of the house, but that is too complicated for a simple example like this, and since I have numerous different kinds of laptop hardware, I'm not sure that WMI query would be perfect anyway.

Instead of any of that, I have smartly named all of the domain-joined devices in my network with hostnames that indicate what kind of a system they are. Most importantly, all laptops in my domain have names that begin with the word "LAPTOP". This is something that I can easily query with a WMI filter, the hostname of the device. Using this information, we will cause the Set Firewall Rules for Laptops GPO to apply to all laptop computers, and Disable Windows Firewall on all non-laptops.

First, we must create the WMI filter itself. Open up GPMC and find the folder called WMI Filters. It is listed just below the Group Policy Objects folder. Right-click on WMI Filters, and select New.

Now populate Name and Description, and Add in the WMI query or queries that you want to be included with this filter, as I have done in the following screenshot. The following query will filter to computers whose hostnames include the word LAPTOP:

Select * From Win32_OperatingSystem Where (CSName like '%LAPTOP%')

Click Save, and you can see our new WMI filter inside GPMC. In fact, while I am here, I am going to create a second WMI filter that does the opposite. The following query will identify computers whose hostnames do not include the word LAPTOP:

Select * From Win32_OperatingSystem Where Not (CSName like '%LAPTOP%')

Now, both of my WMI filters are visible inside GPMC:

Just like with GPOs, these new WMI filters are created but they don't actually do anything until you associate them. In order to do that, we simply select the GPO to which we want a filter to apply, and visit the Scope tab. Underneath our Security Filtering section, you will see another section entitled WMI Filtering. Inside this screen is a simple drop-down menu where you can select one of our existing WMI filters. Once selected, that WMI filter is now applying to the GPO. In our screenshot, I am choosing to require the Computers with hostnames including "LAPTOP" WMI filter for the Set Firewall Rules for Laptops GPO. Then I have also selected the Disable Windows Firewall GPO and chosen the Computers with hostnames NOT including "LAPTOP" WMI filter to be applied there. You can see that both of my new GPOs are linked to the HR Department OU, but now when these GPOs process, the firewall settings will land on all of my laptop computers, and the firewall will be disabled on all non-laptop computers:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.138.122.210