Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Group Policies / Using WMI Filters to Target Group Policies in Active Directory

June 5, 2024

Using WMI Filters to Target Group Policies in Active Directory

Group Policy (GPO) WMI Filters allow you to create additional conditions that define the computers to which you want to apply GPO settings. For example, you can use a WMI filter to target a policy to computers running a specific Windows version, with certain settings or options enabled, depending on their hardware configuration (RAM, HDD size), with a particular program installed, depending on an IP subnet, etc.

Contents:
  • Create and Link a WMI Filter to a GPO
  • WMI Filters for Group Policy: Examples
  • How to Test a GPO WMI Query with PowerShell

The Windows Management Instrumentation (WMI) filter in the GPO is a query in WQL (WMI Query Language). Before applying a specific GPO, each domain computer checks its state with a WMI query. If the state of the computer matches the conditions in the WMI query, this Group Policy will be applied to the computer. Otherwise, the policy will be ignored.

Create and Link a WMI Filter to a GPO

Use the Group Policy Management Console to manage WMI filters in Active Directory domain

  1. Open the gpmc.msc snap-in
  2. Go to the WMI Filters section and create a new filter
  3. Set filter name and description (optional) create wmi filter in group polici managment console
  4. Click Add. Select the WMI namespace (in most cases, root\CIMv2 is used.) Specify the WMI query code in the following format:
    Select * from <WMI Class> WHERE <Property> = <Value>
    For example, to apply a GPO only to computers running Windows 10 and 11, use the following WMI query:
    Select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
    Create wmi filter to target GPO to Windows 10 and 11 computers
  5. Now link the WMI filter to a GPO. For example, you may want your printer installation domain policy to apply only to computers running Windows 10 and 11. Select the WMI filter you created in the WMI Filtering section of the GPOlink a wmi filter to gpo
  6. Update clients’ GPO settings. The policy will now only apply to computers that meet the conditions set by the WMI filter. Use the gpresult /r command to analyze the policies applied to the client. If the GPO affects the client but doesn’t apply due to WMI filter restrictions, such a policy will have the status Filtering: Denied (WMI Filter) status in the gpresult report and will include the name of the WMI filter.

gpresult: Filtering Denied WMI Filter

WMI Filters for Group Policy: Examples

Let’s look at some common examples of WMI queries for GPO filters.

The WMI filter allows you to select the operating system type:

  • ProductType=1 – any desktop Windows edition;
  • ProductType=2 – Active Directory domain controller;
  • ProductType=3 – Windows Server OS.

WMI query to select Windows version:

select * from Win32_OperatingSystem WHERE Version LIKE "X.X%"

  • Windows Server 2022,2019,2016 and Windows 11,10 — 10.%
  • Windows Server 2012 R2 and Windows 8.1 — 6.3%
  • Windows Server 2012 and Windows 8 — 6.2%
  • Windows Server 2008 R2 and Windows 7 — 6.1%
  • Windows Server 2008 and Windows Vista — 6.0%
  • Windows Server 2003 — 5.2%
  • Windows XP — 5.1%
  • Windows 2000 — 5.0%

Combine multiple conditions in a WMI query using the AND and OR logical operators. For example, to apply a GPO only to machines running Windows Server 2019:

select * from Win32_OperatingSystem WHERE Caption LIKE "%2019%" AND Version LIKE "10.%" AND ( ProductType = "2" or ProductType = "3")

Computers running Windows 10 x64:

select * from Win32_OperatingSystem WHERE Version like "10.%" AND ProductType="1" AND OSArchitecture = "64-bit"

Computers that are running a specific build of Windows 11 (for example, 23H2 build 22631):

select * from Win32_OperatingSystem WHERE Caption like "%Windows 11%" AND ProductType="1" AND BuildNumber = "22631"

Apply a policy to VMWare virtual machines only:

SELECT Model FROM Win32_ComputerSystem WHERE Model LIKE "%VMware%"

Apply the policy to laptops only:

select * from Win32_ComputerSystem where PCSystemType="2"

For desktop computers (workstations) only:

select * from Win32_ComputerSystem where PCSystemType="1" or PCSystemType="3"

or (see the article WMI Query to Find Laptops in SCCM):

select * from Win32_SystemEnclosure where ChassisTypes = "8" or ChassisTypes = "9" or ChassisTypes = "10" or ChassisTypes = "11" or ChassisTypes = "12" or ChassisTypes = "14" or ChassisTypes = "18" or ChassisTypes = "21"

WMI query to select computers whose names begin with lon-pc*:

SELECT Name FROM Win32_ComputerSystem WHERE Name LIKE "lon-pc%"

You can use the WMI Filter to apply GPO to the IP subnet. For example, to apply a policy to clients on multiple IP subnets:

Select * FROM Win32_IP4RouteTable WHERE (Mask='255.255.255.255' AND (Destination Like 10.1.1.%' OR Destination Like '10.1.2.%'))

Select computers with more than 4GB of RAM:

Select * from WIN32_ComputerSystem where TotalPhysicalMemory >= 4200000000

Computers with a specific program installed (for example, 7ZIP):

Select * From Win32_Product where Name like "%7-Zip %"

WMI query to select machines with Internet Explorer 11 (IE is disabled by default in modern builds of Windows 10 and 11):
SELECT path,filename,extension,version FROM CIM_DataFile WHERE path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version>"11.0"

How to Test a GPO WMI Query with PowerShell

Before applying the WMI filter to the GPO, you can test the query on target computers. This will allow you to understand whether a policy with such a WMI query will or will not be applied on a specific computer. To view all the WMI classes available on your computer, open the PowerShell console and run the command:

Get-WmiObject -List

List the available WMI attributes and values ​​of the Win32_OperatingSystem class:

Get-WMIObject Win32_OperatingSystem| Select *

Get-WMIObject: list wmi attributes and values using powershell

WMI Code Creator v1.0 lets you browse the WMI namespace and view classes and attribute values. (https://www.microsoft.com/en-us/download/details.aspx?id=8572).

Browse wmi namespace with WMI Code Creator

To debug and test your WMI query on a computer to understand whether the computer matches the query, specify its code in the -Query parameter. For example, this WMI query checks whether Microsoft Office is installed on the computer:

Get-WmiObject -query 'Select * From Win32_Product where Name like "%Office 16 Click-to-Run%"'

If the command returns a list of attributes, it means that the computer matches your query and the GPO with such a WMI filter will be applied. If the Get-WMIObject command returns nothing, the computer doesn’t match the WMI filter query.

Test wmi query on computer using powershell

The Get-WmiObject cmdlet is deprecated in newer versions of PowerShell Core 7.x, and you must use Get-CimInstance instead.

WMI filters in GPO allow you to create granular and dynamic rules that define the options of computers to which you want to apply Group Policy settings. There is no need to create and manage security groups when using WMI filters, as there would be with GPO Security Filtering

16 comments
1
Facebook Twitter Google + Pinterest
Active DirectoryGroup PoliciesWindows 10Windows Server 2016
previous post
Adding Multiple IP Addresses (Aliases) to a Single Network Adapter
next post
How to Import and Export Mailbox to PST in Exchange 2019/2016/2013

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Updating List of Trusted Root Certificates in Windows

March 11, 2024

How to Hide or Show User Accounts from...

July 24, 2024

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

Troubleshooting: Group Policy (GPO) Not Being Applied to...

March 15, 2024

Configuring Password Policy in Active Directory Domain

March 12, 2024

How to Disable NetBIOS, LLMNR, mDNS Protocols in...

March 20, 2025

Display System Info on Desktop with BGInfo

February 6, 2025

16 comments

Mariano May 14, 2015 - 2:09 pm

can i make a wmi filter based on the OU or the DN where the computer is located? I need to run bginfo for administrators, but only on servers…. 

Reply
Max May 15, 2015 - 6:33 am

1. To filter only server operating systems you can use following Wmi Filter: SELECT * FROM Win32_OperatingSystem WHERE  ProductType = “2” OR ProductType = “3”
2. Enable Loopback Processing mode  in GPO ( Administrative Templates-> System-> Group Policy-> Configure user Group Policy loopback processing mode) – merge

3. In GPO Security Filtering remove ‘Authenticated Users’ permission and add your  administrators groups

Reply
Roger Garmendia May 15, 2018 - 12:30 am

Theres any one how cant help me to deal with my nightmare i been dealing with something like a virus. I been searching and digging into to the computer system and i thing i have some like this everything point to be connected remotely ore aome like that. What cant i do.

Reply
TrixM August 8, 2019 - 8:39 am

Don’t forget the NOTEQUALS operator ‘ ‘. And GREATER THAN OR EQUALS ‘>= ‘. Ditto for LESS THAN OR EQUALS ‘= “10” AND ProductType “1”

Reply
TrixM August 8, 2019 - 8:41 am

for the Server 2016 query, this is more efficient:

`SELECT * FROM Win32_OperatingSystem WHERE Version >= “10.0” AND ProductType “1”`

Reply
TrixM August 8, 2019 - 8:43 am

that should be ‘ProductType ` “1”‘ without the backticks and proper quotes

Reply
TrixM August 8, 2019 - 8:44 am

I give up. NOTEQUALS is the left angle bracket and right angle bracket together.

Reply
Denny October 10, 2023 - 1:28 am

Can i make a wmi filter based on the name of OU? I wanna some OU uses USB.

Reply
admin October 19, 2023 - 6:42 am

You can get the computer OU using the root\RSOP\Computer Namespace:
Get-WmiObject -Query "Select * From RSOP_Session" -Namespace root\RSOP\Computer |select SOM
This means that you can use the following WMI filter to apply the policy only to devices in the specific OU:
Select * From RSOP_Session Where SOM ='OU=Workstations,OU=US,DC=woshub,DC=com'

Reply
BYAN May 7, 2024 - 8:42 am

To select 64-bit versions of Windows 10 LTSC:
select * from Win32_OperatingSystem WHERE Version like “10.0.17763” AND ProductType=”1″ AND osArchitecture=”64-bit”
This does’t work,why?

Reply
admin May 7, 2024 - 1:26 pm

Have you tested this WMI query locally on the LTCS computer?
Like this:
Get-WMIObject -query 'select * from Win32_OperatingSystem WHERE Version like "10.0.17763" AND ProductType="1" AND osArchitecture="64-bit"'
The following query works fine on my Win10 23h2 computer:
Get-WMIObject -query 'select * from Win32_OperatingSystem WHERE Version like "10.0.19045" AND ProductType="1" AND osArchitecture="64-bit"'

Reply
BYAN May 8, 2024 - 1:18 am

Without this condition “AND osArchitecture=”64-bit””, the results can be queried.

Reply
BYAN May 8, 2024 - 2:45 am

It may be a system bug,The Simplified Chinese version of the system needs to change “64-bit” to “64 位”,the results can be queried.

Reply
DarthVidar May 8, 2025 - 10:57 am

You’re correct about the osArchitecture property, it’s language sensitive in content.
Try this and filter for your needed OSbuild:
“get-wmiObject -query ‘select * from Win32_OperatingSystem WHERE Version like “10.0.26120” AND ProductType=”1″ AND osArchitecture like “64%”‘

Reply
Byan August 21, 2024 - 3:49 am

Use the WMI,the group policy takes effect very slowly, need to reboot computer and gpupdate the policy many times.

Reply
admin September 2, 2024 - 6:52 am

This may be due to delays in the replication of new GPOs between domain controllers.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • How to Set a User Thumbnail Photo in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • Restoring Active Directory Domain Controller from a Backup
  • Implementing Dynamic Groups in Active Directory with PowerShell
  • Windows: Block Remote Network Access for Local User Accounts
  • Configuring Password Expiration Notifications for AD Users
  • Zerologon (CVE-2020-1472): Critical Active Directory Vulnerability
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top