Group Policy (GPO) WMI Filters allow you to create additional conditions that define the computers to which you want to apply GPO settings. For example, you can use a WMI filter to target a policy to computers running a specific Windows version, with certain settings or options enabled, depending on their hardware configuration (RAM, HDD size), with a particular program installed, depending on an IP subnet, etc.
The Windows Management Instrumentation (WMI) filter in the GPO is a query in WQL (WMI Query Language). Before applying a specific GPO, each domain computer checks its state with a WMI query. If the state of the computer matches the conditions in the WMI query, this Group Policy will be applied to the computer. Otherwise, the policy will be ignored.
Create and Link a WMI Filter to a GPO
Use the Group Policy Management Console to manage WMI filters in Active Directory domain
- Open the
gpmc.mscsnap-in - Go to the WMI Filters section and create a new filter
- Set filter name and description (optional)
- Click Add. Select the WMI namespace (in most cases, root\CIMv2 is used.) Specify the WMI query code in the following format:
Select * from <WMI Class> WHERE <Property> = <Value>
For example, to apply a GPO only to computers running Windows 10 and 11, use the following WMI query:
Select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
- Now link the WMI filter to a GPO. For example, you may want your printer installation domain policy to apply only to computers running Windows 10 and 11. Select the WMI filter you created in the WMI Filtering section of the GPO
- Update clients’ GPO settings. The policy will now only apply to computers that meet the conditions set by the WMI filter. Use the gpresult /r command to analyze the policies applied to the client. If the GPO affects the client but doesn’t apply due to WMI filter restrictions, such a policy will have the status Filtering: Denied (WMI Filter) status in the gpresult report and will include the name of the WMI filter.
WMI Filters for Group Policy: Examples
Let’s look at some common examples of WMI queries for GPO filters.
The WMI filter allows you to select the operating system type:
- ProductType=1 – any desktop Windows edition;
- ProductType=2 – Active Directory domain controller;
- ProductType=3 – Windows Server OS.
WMI query to select Windows version:
select * from Win32_OperatingSystem WHERE Version LIKE "X.X%"
- Windows Server 2022,2019,2016 and Windows 11,10 — 10.%
- Windows Server 2012 R2 and Windows 8.1 — 6.3%
- Windows Server 2012 and Windows 8 — 6.2%
- Windows Server 2008 R2 and Windows 7 — 6.1%
- Windows Server 2008 and Windows Vista — 6.0%
- Windows Server 2003 — 5.2%
- Windows XP — 5.1%
- Windows 2000 — 5.0%
Combine multiple conditions in a WMI query using the AND and OR logical operators. For example, to apply a GPO only to machines running Windows Server 2019:
select * from Win32_OperatingSystem WHERE Caption LIKE "%2019%" AND Version LIKE "10.%" AND ( ProductType = "2" or ProductType = "3")
Computers running Windows 10 x64:
select * from Win32_OperatingSystem WHERE Version like "10.%" AND ProductType="1" AND OSArchitecture = "64-bit"
Computers that are running a specific build of Windows 11 (for example, 23H2 build 22631):
select * from Win32_OperatingSystem WHERE Caption like "%Windows 11%" AND ProductType="1" AND BuildNumber = "22631"
Apply a policy to VMWare virtual machines only:
SELECT Model FROM Win32_ComputerSystem WHERE Model LIKE "%VMware%"
Apply the policy to laptops only:
select * from Win32_ComputerSystem where PCSystemType="2"
For desktop computers (workstations) only:
select * from Win32_ComputerSystem where PCSystemType="1" or PCSystemType="3"
or (see the article WMI Query to Find Laptops in SCCM):
select * from Win32_SystemEnclosure where ChassisTypes = "8" or ChassisTypes = "9" or ChassisTypes = "10" or ChassisTypes = "11" or ChassisTypes = "12" or ChassisTypes = "14" or ChassisTypes = "18" or ChassisTypes = "21"
WMI query to select computers whose names begin with lon-pc*:
SELECT Name FROM Win32_ComputerSystem WHERE Name LIKE "lon-pc%"
You can use the WMI Filter to apply GPO to the IP subnet. For example, to apply a policy to clients on multiple IP subnets:
Select * FROM Win32_IP4RouteTable WHERE (Mask='255.255.255.255' AND (Destination Like 10.1.1.%' OR Destination Like '10.1.2.%'))
Select computers with more than 4GB of RAM:
Select * from WIN32_ComputerSystem where TotalPhysicalMemory >= 4200000000
Computers with a specific program installed (for example, 7ZIP):
Select * From Win32_Product where Name like "%7-Zip %"
WMI query to select machines with Internet Explorer 11 (IE is disabled by default in modern builds of Windows 10 and 11):
SELECT path,filename,extension,version FROM CIM_DataFile WHERE path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version>"11.0"
How to Test a GPO WMI Query with PowerShell
Before applying the WMI filter to the GPO, you can test the query on target computers. This will allow you to understand whether a policy with such a WMI query will or will not be applied on a specific computer. To view all the WMI classes available on your computer, open the PowerShell console and run the command:
Get-WmiObject -List
List the available WMI attributes and values of the Win32_OperatingSystem class:
Get-WMIObject Win32_OperatingSystem| Select *
To debug and test your WMI query on a computer to understand whether the computer matches the query, specify its code in the -Query parameter. For example, this WMI query checks whether Microsoft Office is installed on the computer:
Get-WmiObject -query 'Select * From Win32_Product where Name like "%Office 16 Click-to-Run%"'
If the command returns a list of attributes, it means that the computer matches your query and the GPO with such a WMI filter will be applied. If the Get-WMIObject command returns nothing, the computer doesn’t match the WMI filter query.
Get-CimInstance instead.WMI filters in GPO allow you to create granular and dynamic rules that define the options of computers to which you want to apply Group Policy settings. There is no need to create and manage security groups when using WMI filters, as there would be with GPO Security Filtering
16 comments
can i make a wmi filter based on the OU or the DN where the computer is located? I need to run bginfo for administrators, but only on servers….
1. To filter only server operating systems you can use following Wmi Filter: SELECT * FROM Win32_OperatingSystem WHERE ProductType = “2” OR ProductType = “3”
2. Enable Loopback Processing mode in GPO ( Administrative Templates-> System-> Group Policy-> Configure user Group Policy loopback processing mode) – merge
3. In GPO Security Filtering remove ‘Authenticated Users’ permission and add your administrators groups
Theres any one how cant help me to deal with my nightmare i been dealing with something like a virus. I been searching and digging into to the computer system and i thing i have some like this everything point to be connected remotely ore aome like that. What cant i do.
Don’t forget the NOTEQUALS operator ‘ ‘. And GREATER THAN OR EQUALS ‘>= ‘. Ditto for LESS THAN OR EQUALS ‘= “10” AND ProductType “1”
for the Server 2016 query, this is more efficient:
`SELECT * FROM Win32_OperatingSystem WHERE Version >= “10.0” AND ProductType “1”`
that should be ‘ProductType ` “1”‘ without the backticks and proper quotes
I give up. NOTEQUALS is the left angle bracket and right angle bracket together.
Can i make a wmi filter based on the name of OU? I wanna some OU uses USB.
You can get the computer OU using the root\RSOP\Computer Namespace:
Get-WmiObject -Query "Select * From RSOP_Session" -Namespace root\RSOP\Computer |select SOMThis means that you can use the following WMI filter to apply the policy only to devices in the specific OU:
Select * From RSOP_Session Where SOM ='OU=Workstations,OU=US,DC=woshub,DC=com'To select 64-bit versions of Windows 10 LTSC:
select * from Win32_OperatingSystem WHERE Version like “10.0.17763” AND ProductType=”1″ AND osArchitecture=”64-bit”
This does’t work,why?
Have you tested this WMI query locally on the LTCS computer?
Like this:
Get-WMIObject -query 'select * from Win32_OperatingSystem WHERE Version like "10.0.17763" AND ProductType="1" AND osArchitecture="64-bit"'The following query works fine on my Win10 23h2 computer:
Get-WMIObject -query 'select * from Win32_OperatingSystem WHERE Version like "10.0.19045" AND ProductType="1" AND osArchitecture="64-bit"'Without this condition “AND osArchitecture=”64-bit””, the results can be queried.
It may be a system bug,The Simplified Chinese version of the system needs to change “64-bit” to “64 位”,the results can be queried.
You’re correct about the osArchitecture property, it’s language sensitive in content.
Try this and filter for your needed OSbuild:
“get-wmiObject -query ‘select * from Win32_OperatingSystem WHERE Version like “10.0.26120” AND ProductType=”1″ AND osArchitecture like “64%”‘
Use the WMI,the group policy takes effect very slowly, need to reboot computer and gpupdate the policy many times.
This may be due to delays in the replication of new GPOs between domain controllers.