Understanding Group Policy WMI Filtering

Group Policy WMI Filtering is a powerful feature that allows administrators to apply Group Policy Objects (GPOs) and Group Policy preferences based on specific attributes of target computers, servers, and users. By leveraging Windows Management Instrumentation (WMI) queries, IT professionals can create highly targeted and dynamic GPOs that respond to the unique needs of their environment.

We’ll cover WMI Filtering, its benefits, setup, best practices, and troubleshooting tips. Whether you need to enhance security, streamline management, or customize user experiences, mastering WMI Filtering can significantly improve your Group Policy settings strategy.

Setting up a Group Policy WMI Filter

Next, I’ll demonstrate how to create WMI Filters using the Group Policy Management Console (GPMC). But first, let me assist you in verifying you have all your ducks in a row before you start.

Prerequisites

The only prerequisites are to have the necessary administrative privileges to create and edit GPOs and WMI Filters. Typically, you need to be in either Domain Admins or Group Policy Creator Owners group in Active Directory.

Also, ensure you have access to the Group Policy Management Console (GPMC) and can launch it.

Using the Group Policy Management Console

There are several ways to open the GPMC, but the easiest method is to:

• Click the Start button
• Start typing ‘group’
• Click on the ‘Group Policy Management‘ item.

You probably noticed the ‘WMI Filters‘ category item on the left. Go ahead and click it. Based on your environment, you may or may not see any existing entries. Let’s create one right now to limit the application of a GPO to Windows 11 devices only.

• You can either right-click on the ‘WMI Filters‘ item on the left, or any ‘white space’ on the right pane. Choose ‘New…‘

• Type in the Name and Description of your new filter.
• Then, click the ‘Add‘ button. You’ll be presented with the ‘WMI Query’ dialog.
• In the ‘Query:‘ field, this is where all the magic happens.

We use ‘SQL’-like code, called WQL, to filter for specific criteria or attributes of devices.

To filter for all Windows 11 devices, we can use this query text:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.22000%" OR Version LIKE "10.0.22621%" OR Version LIKE "10.0.22631%" OR Version LIKE "10.0.26100%"

We’re reading the ‘Win32_OperatingSystem’ table and matching it against the internal version numbers of Windows 11 versions. Version 21H2, the initial version of Windows 11, is based on build 10.0.22000. And, jumping to the most recent, as of this writing, 10.0.26100 is based on Windows 11 24H2.

• Click Save at the end.

Using PowerShell to create a Group Policy WMI Filter

Of course, you can also use PowerShell to accomplish your duties related to WMI Filtering using New-GPWmiFilter. Let’s get started with a straightforward command to create a similar WMI Filter based on Windows 10.

New-GPWmiFilter -Name "Windows 10 Device Filter" -Description "This filter applies to all Windows 10 devices" -Query "SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.% AND OperatingSystemSKU = 27"

How do I associate a WMI Filter with a GPO?

Now that we have a new filter, how do we apply it? It’s quite simple.

• Browse to the GPO you want to apply the filter.
• At the bottom of the window, you’ll see the ‘WMI Filtering‘ section. Click the dropdown menu and choose your new filter.
• I chose my new ‘Windows 11 – Start Menu & Taskbar‘ filter.

When Group Policy is recalculated, and this specific GPO is read, it will only apply it if the Windows version of the device is ‘Windows 11.’ At that point, the specific settings in this policy related to the Start Menu and the Taskbar will apply.

Importance of targeted Group Policy application

In the wonderful aura of IT management, the ability to apply policies precisely and controlled is paramount. As environments grow more complex, a one-size-fits-all approach to policy application is less effective. This is where Group Policy WMI Filtering emerges as a critical tool for admins. If you need to target a specific computer, a specific browser, or specific aspects of network security, WMI Filters are for you.

Understanding WMI Filtering

Targeted policy application through WMI Filtering allows administrators to specify exactly which users and computers should receive particular GPOs based on various attributes and conditions. This precision ensures that policies are applied only where they are relevant and needed, enhancing security and efficiency. You can target desktop computers, Windows Server, and even virtual machines (VMs).

Purpose of Group Policy WMI Filtering

By leveraging WMI Filtering and WMI queries, administrators can create dynamic and flexible filters that respond to the unique characteristics of each target device, such as:

• operating system version
• hardware specs/configuration
• or even Registry settings.

WMI Filtering is rather powerful – you can filter on all sorts of attributes of your devices like ‘Windows Server’, ‘Windows Vista’, ‘Windows XP’, ‘Domain Controllers’, and even ‘the correct version of Windows.’ You can also filter based on ’64-bit’ or ’32-bit’ operating systems.

You likely get the point; you can filter GPOs based on these high-level concepts. You want to make certain the correct GPO gets applied to the right workstation.

Benefits of WMI Filtering

Let me list the major benefits of using WMI Filtering within Group Policy Management.

• Enhanced Security: By applying security policies only to the appropriate devices and users, organizations can reduce attack surfaces and mitigate risks. For instance, applying stricter security settings to devices that handle sensitive data ensures that these critical systems are better protected.
• Optimized Performance: Targeted policies prevent unnecessary configurations from being applied to devices that do not require them. This helps in maintaining optimal system performance and avoids potential conflicts that could arise from irrelevant policy settings.
• Simplified Management: With WMI Filtering, administrators can manage diverse IT environments more efficiently. By tailoring GPOs to specific scenarios, they can reduce the complexity of policy management and ensure that each device receives only the most pertinent configurations.

WMI Filter best practices

Before you launch into setting up WMI Filters in your environment, you should be accustomed to the following overall best practices. Read on to learn more.

Write Efficient Queries:

• Simplicity: Keep your WMI queries as simple and efficient as possible to reduce processing overhead.
• Testing: Test your queries thoroughly in a lab environment to ensure they return the expected results and perform well.

Plan and Document Your Filters:

• Planning: Before creating WMI filters, plan your requirements and understand the attributes you need to filter on.
• Documentation: Document your WMI filters, including the purpose, WMI query, and the GPOs to which they are linked. This helps in maintaining clarity and ease of management.

Use Descriptive Names and Comments:

• Naming: Use clear and descriptive names for your WMI filters to easily identify their purpose.
• Comments: Add comments to your WMI queries to explain their logic and intended use.

Use case examples

Here are a few more examples of using WMI Filters. First off, what if you needed to target devices with greater than 8 GB of RAM? Simple, use this query language:

SELECT * FROM Win32_ComputerSystem WHERE TotalPhysicalMemory > 8589934592

Another common distinction would be filtering out desktops and laptops. Use this query for that purpose:

SELECT * FROM Win32_SystemEnclosure WHERE ChassisTypes = 8

This will filter out the devices with a specific power management setting (in this case, “8”). This signifies a system enclosure type of ‘Laptop’.

Another powerful filter is the ‘producttype’ filter. This filter is used to target policies based on the type of Windows operating system on a computer. This filter checks the Win32_OperatingSystem class to determine whether the system is a workstation, domain controller, server, etc. You could set a WMI filter to ‘2’ and the resultant policy would only apply to servers configured as Domain Controllers.

In the context of this article, a single membership group refers to a WMI filter that targets devices based on their membership in a specific AD security group. The filter checks the ‘RSOP_SecurityGroupMembership’ class. This is helpful when setting up policies to only target often arbitrary devices in a single security group.

Troubleshooting WMI Filtering

An article like this would be incomplete if it didn’t conclude with some troubleshooting tactics. Let me list the most common scenarios you’ll encounter when troubleshooting WMI Filters with Group Policy.

1. Let’s start with the basics – the WMI Service. Check the Windows Services on a target device and make sure the WMI service (Winmgmt) is running.
2. Next, validate the integrity of the WMI Repository. Run the first command to make sure the repository is stable. If not, you can run the second command to attempt to ‘repair’ it. If that also fails, run the last command to reset it to ‘factory standards.’

winmgmt /verifyrespository
winmgmt /salvagerepository
winmgmt /resetrepository

Please feel free to leave a comment or question!