WMI filtering

Windows Management Instrumentation (WMI) filters is another method that we can use to filter the Group Policy target. This method can be used to filter only the computer objects, and it is based on computer attribute values. As an example, WMI filters can be used to filter different operating system versions, processor architecture (32 bit/64 bit), Windows Server roles, registry settings, event ID, and so on. WMI filters will run against WMI data of the computers and decide whether it should apply the policy or not. If it matches the WMI query, it will process the Group Policy, and if it's false, it will not process the Group Policy. This method was first introduced with Windows Server 2003.

We can use GPMC to create/manage WMI filters. Before applying a filter to a GPO, first, we need to create it. A single WMI filter can be attached to many GPOs, but a GPO can have only a single WMI filter attached.

To create a WMI filter, open GPMC, right-click on WMI Filters, and click on New:

It will open up a new window where we can define the WMI query:

By clicking on the Add button, we can define Namespace and WMI Query. As an example, I have created a WMI query to filter the Windows 10 operating system running the 32-bit version:

select * from Win32_OperatingSystem WHERE Version like "10.%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

In the following commands, you can find a few examples of commonly used WMI queries:

To filter OS--Windows 8--64bit, use the following command:

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND OSArchitecture = "64-bit"

To filter OS--Windows 8--32 bit, use the following command:

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

To filter any Windows Server OS--64bit, use the following command:

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3") AND  OSArchitecture = "64-bit"

To apply a policy to a selected day of the week, use the following command:

select DayOfWeek from Win32_LocalTime where DayOfWeek = 1

Day 1 is Monday.

Once WMI Filter is created, it needs to be attached to the GPO. To do that, go to GPMC and select the required GPO. Then, under the WMI Filtering section, select the required WMI filter from the drop-down box:

Now it is time for testing. Our test query is to target 32-bit Windows 10 operating systems. If I try to run it over a 64-bit operating system, it should not apply. We can check this by running gpupdate /force to apply a new Group Policy and gpresult /r to check the results:

The test was successful and the policy was blocked as I was running Windows 10--64-bit OS version.

Now we know how we can apply these different filtering options to target a specific object for GPO. But in what order will all these apply?

  • LSDOU: The first filtering option will be based on the order in which policies are placed in the domain structure. This has been covered in an earlier section of this chapter in detail.
  • WMI filters: The next filtering it will look for is the WMI filtering, which you learned in this section. If it's true, it will go to the next step. If the result is false, the Group Policy does not apply.
  • Security settings: As a last step, it will look into security filtering and check whether the given security criteria have been met. If they are met, it will process the Group Policy.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.217.109.151