Group Policy: WMI Filters User Guide in Domain Environment

What is the WMI Filters and how to use them? Understanding Windows Management Instrumentation

What is the WMI Filters?

WMI Filters is a technology that helps us control and manage Windows operating system objects locally or remotely since Windows Server 2003. Thanks to Windows Management Instrumentation, it allows us to filter even some complex operations, especially in centralized management structures, by classifying servers, clients and users without the need for third-party tools. WMI is not only used by system admins, programmers can also use it when they need to interact with Windows operating systems. In this article I will focus on what it means for system admins.

Group Policy is a must for a centrally managed structure. When applying GPO in a domain environment, we may not apply the same application to everyone due to inventory types, operating system versions and many other reasons. Some computers or servers may have Fidelio, SAP or Adobe products installed, while others may not have enough resources. Some computers may be workstation with 64GB of memory, while others may be 32-bit legacy or junk devices with limited resources. Since creating an OU (Organizational Units) for each difference would be illogical and difficult to manage, WMI Filters comes into play to manage these differences together.

In summary, with WMI filters, we can say that it is an additional feature that helps you to apply different applications to multiple domain objects (user/computer) in the management unit in an Active Directory environment. In other words, if two computers in the same OU in the same forest have different operating systems, we can apply different GPO to one and different GPO to the other. It both provides us convenience and we will avoid confusion. In the companies I consult, WMI filters can sometimes be perceived as a difficult subject to understand. In fact, when used well, it provides you great convenience and simplicity. For this reason, I wanted to write an article.

WMI Filters Basic Concepts

WMI Filters codes are similar to SQL syntax. It is easier to understand for people who have experienced with SQL queries.

To create WMI filters, we can first open the the Group Policy Management console, right click on the WMI filters menu and create it by clicking New. There is no OU, domain or site limit to which each created WMI filter will be applied, but each Group Policy object can recieve only one WMI filter. Filter in filter cannot be applied in the Group Policy Object. For example a second query from a different wmi filter to a wmi query that filters machines with Windows 10 64-bit cannot be combined with a query called those whose first three letters begin with “ABC”. However, more than one query can be added to a single wmi filter. Let’s look et some example wmi queries.

ProductType=1 — Any Windows Workstation Version

ProductType=2 — Active Directory Domain Controller

ProductType=3 — Any Windows Server Edition

Logical operators like AND — OR are supported in WMI filters. So like (ProductType = “2”) OR (ProductType = “3”) …

Choosing some operating system queries

Windows Server 2016 and Windows 10 — “10.%”

Windows Server 2012 R2 ve Windows 8.1 — “6.3%”

Windows Server 2012 and Windows 8 — “6.2%”

Windows Server 2008 R2 ve Windows 7 — “6.1%”

Windows Server 2008 and Windows Vista — “ 6.0%”

Windows Server 2003 — “5.2%”

Some Useful Examples of WMI Filters

A query that can be used on machines running Windows Server operating systems;

Select * from Win32_OperatingSystem where (ProductType = "1")

Query for Windows 10 installed machine;

select * from Win32_OperatingSystem WHERE Version LIKE "10.%" AND (ProductType = "1")

Query to filter machines with more then 4 GB of memory;

Select * from WIN32_ComputerSystem where TotalPhysicalMemory >= 4073741824

Query to select machines with Internet Explorer 11 installed;

SELECT path,filename,extension,version FROM CIM_DataFile WHERE path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version>"11.0

Query for virtual machines in Vmware environment;

SELECT Model FROM Win32_ComputerSystem WHERE Model = “VMWare Virtual Platform”

How to check machines in a specific ip adress range via WMI Filters?

SELECT * FROM Win32_IP4RouteTable 
WHERE 
(Mask=’255.255.255.0' AND NextHop=’192.168.1.1') 
OR 
(Mask=’255.255.255.0' AND NextHop=’192.168.2.1')

Let’s write more complex queries. This query shows Windows 10 computers (also server 2016) that have Google Chrome installed but do not have Adobe Acrobat installed;

SELECT Name, OperatingSystem, InstalledSoftware 
FROM 
Win32_ComputerSystem 
WHERE
OperatingSystem = "Windows 10"
AND InstalledSoftware = "Google Chrome"
AND InstalledSoftware NOT LIKE "Adobe Acrobat"

How queries working?

Name     | OperatingSystem     | InstalledSoftware
-------  | --------            | --------
Computer | Windows 10          | Google Chrome
Server   | Windows Server 2016 | Adobe Acrobat

Succesfully denied :)

Let’s go deeper

If Adobe Acrobat is installed on the computer, how do we do this if we want to open .pdf extension with Adobe Acrobat by default? WMI can’t enough alone but it’s very useful for this case. Also, this case is more helpful for understanding WMI filters.

Step 1:

This WMI filter show us to which computers have Adobe Acrobat Reader.

SELECT Name, 
OperatingSystem, 
InstalledSoftware 
FROM 
Win32_ComputerSystem 
WHERE 
InstalledSoftware = “Adobe Acrobat”

Step 2:

A PowerShell script to run on computers that meet the above conditions.

# This command sets Adobe Acrobat as the default application for files with the .pdf extension on computers with Google Chrome and Adobe Acrobat installed.
# Kullanım:
# Set-DefaultApp.ps1

$computers = Get-ADComputer -Filter "InstalledSoftware = 'Adobe Acrobat'"

ForEach ($computer in $computers) {
  $pdf = ".pdf"
  $app = "Adobe Acrobat"

  Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppAssociations\$pdf" -Name "Default" -Value $app
}

Now you can deploy PowerShell script via Group Policy

Now I select WMI filters for the script I created.

Now everything ready for publishing at domain environment.

Note: The “Win32_Product” class and “InstalledSoftware” class can often performance issues. Consider alternative WMI class or PowerShell scripts for better performance.

Testing: It is important to always test these types of queries. Test on a small group of machines to see if you get the results you want.

Conclusion

The issue you need to pay attention to is that if you apply a filter to an object under the Group Policy Object container, whether it is applied on OU or domain basis in any area, or if you apply a filter to an object that has never been applied but is under the Group Policy Object container, it is applied in all of the places where the relevant object is applied, and as I said at the beginning, a single filter can be selected.