ZEDA.nl

ZEDA.nl

Tips & Tweaks for Windows

User Rating:  / 5
PoorBest 

Implementing WMI filters

You can link GPO's to a domain, a site or an OU and apply a security filter to link the GPO to a particular group of users or computers.

In many cases this is all there is to it, but sometimes that doesn't do the job. For example, you want to install a software package on 64Bit versions of Windows only. Or you might want to add a firewall rule to computers that are running the DHCP server service. These are the moments when you need WMI filters.

This article describes the following:

  • What is WMI?
  • Creating WMI filters
  • Generate WMI code
  • More than 30 GPO WMI filtering examples
  • Testing WMI filters

What is WMI?

WMI is an uniform way to gain access to system or administrative information in a database-like kind of way. Most common syntax of a WMI query is:

SELECT [property] from [wmi class]

Creating WMI filters

You create a WMI filter following the next steps:

1. Start Group Policy Management Console and connect to the domain.

2. Right click WMI Filters en choose New.

 

3. Enter a title and description for the filter and click Add.

 

4. Enter the query and click OK.

5. Repeat steps 3 and 4 if you want to enter multiple queries in 1 filter.

6. Click Save.

It looks simple and in fact it is. The harder part is how to build the query.

Generate WMI code

If you have any scripting experience (or just the feeling) I recommend downloading Microsoft's WMI Code Creator.

This tools makes it easy to create and test a WMI query just by selecting the class, property and value. The screen dumps shows how to create the a filter that checks the existence of drive D:.

 

Download: WMI Code Creator

WMI filtering is slow, isn't it?

There's a wide spread rumor that WMI filtering shouldn't be used because it is slow. You should keep in mind that WMI is a powerful tool. It's possible to create a query that searches the entire C: drive to see if there is a file named coffee.txt. Yes, that would be a slow query.

The examples in this article though are much simpler and most shouldn't take more than a second to execute. When in doubt it is wise to measure the time to execute.

Example WMI filters

Far more easy than creating a filter is to use someone else's filters. These examples are tested on Windows 2008 R2 and Windows 7 and should work on earlier Windows versions.

If not mentioned otherwise, the namespace used in the examples is root\CIMv2.

Computer properties

Computer is a laptop (because it has a battery)

SELECT * FROM Win32_Battery

Screen resolution is at least 1280x720

SELECT * FROM Win32_DisplayControllerConfiguration WHERE HorizontalResolution>1279 AND VerticalResolution>719

System is running on batteries

SELECT * FROM BatteryStatus Where Discharging = True

NOTE: Namespace for this filter: \root\WMI

Computer has at least 2GB RAM memory

SELECT * FROM Win32_ComputerSystem WHERE TotalPhysicalMemory > 2000000000

Drive D: contains at least 100GB free space

SELECT * FROM Win32_LogicalDisk WHERE FreeSpace > 100000000000 AND Caption = "D:"

Computer contains an Intel Processor

SELECT * FROM Win32_Processor WHERE Manufacturer = "GenuineIntel"

Computer has more than 2 logical processors

SELECT * FROM Win32_ComputerSystem where NumberOfLogicalProcessors > 2

Computer has more than 1 physical processor

SELECT * FROM Win32_ComputerSystem where NumberOfProcessors > 1

Computer contains an IRDA device

SELECT * FROM CIM_InfraredController

Computer contains a floppy drive

SELECT * FROM Win32_FloppyDrive

Computer contains an active Trusted Platform Module (TPM)

SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = True

NOTE: Namespace for this filter: root\CIMV2\Security\MicrosoftTpm

Computer is a Compaq Presario SR5115NL

SELECT * FROM Win32_ComputerSystem WHERE manufacturer = "Compaq-Presario" and Model = "GN729AA-ABH SR5115NL"

Windows Operating System

64 bits OS installed

SELECT OSArchitecture FROM Win32_OperatingSystem WHERE OSArchitecture = "64-bit"

OS Windows 7

SELECT * FROM Win32_OperatingSystem WHERE Version = "6.1%" and ProductType = "1"

OS Windows 7 with service pack 1

SELECT * FROM Win32_OperatingSystem WHERE Version = "6.1%" and ProductType = "1" and ServicePackMajorVersion = "1"

OS Windows Vista

SELECT * FROM Win32_OperatingSystem WHERE Version = "6.0%" and ProductType = "1"

OS Windows XP

SELECT * FROM Win32_OperatingSystem WHERE Version = "5.1%" and ProductType = "1"

OS windows 2000 workstation

SELECT * FROM Win32_OperatingSystem WHERE Version = "5.0%" and ProductType = "1"

OS Windows 2008 R2 server

SELECT * FROM Win32_OperatingSystem WHERE Version = "6.1%" and ProductType <> "1"

OS Windows 2008 R2 server with service pack 1

SELECT * FROM Win32_OperatingSystem WHERE Version = "6.1%" and ProductType <> "1" and ServicePackMajorVersion = "1"

OS Windows 2008 server

SELECT * FROM Win32_OperatingSystem WHERE Version = "6.0%" and ProductType <> "1"

OS Windows 2003 server

SELECT * FROM Win32_OperatingSystem WHERE Version = "5.2%" and ProductType <> "1"

OS windows 2000 server

SELECT * FROM Win32_OperatingSystem WHERE Version = "5.0%" and ProductType <> "1"

Software and settings

Time zone + 1 (bias is the time zone GMT+0 offset in minutes)

SELECT * FROM win32_timezone WHERE bias = 60

Windows feature webserver is installed

SELECT * FROM Win32_ServerFeature WHERE Name="Web Server (IIS)"

Service DHCP Server starts automatically

SELECT * FROM Win32_Service WHERE Caption="DHCP Server" AND StartMode="Auto"

Share Backup$ is defined on this computer

SELECT * FROM Win32_Share WHERE Caption="Backup$"

File C:\windows\system32\notepad.exe exists

SELECT * FROM CIM_Datafile WHERE Name="C:\\windows\\system32\\notepad.exe"

Local user JDoe exists

SELECT * FROM Win32_UserAccount WHERE Name="JDoe" AND LocalAccount=True

Local group WSUS-administrators exists

SELECT * FROM Win32_Group WHERE LocalAccount=True AND Name="WSUS-administrators"

Microsoft Office is installed (slow query!!)

SELECT * FROM Win32_Product WHERE Caption LIKE "Microsoft Office%"

Active Directory

Computer is an AD client computer

SELECT ProductType FROM Win32_OperatingSystem WHERE ProductType = "1"

Computer is an AD domain controller

SELECT ProductType FROM Win32_OperatingSystem WHERE ProductType = "2"

Computer is an AD member server

SELECT ProductType FROM Win32_OperatingSystem WHERE ProductType = "3"

AD Site-name is Amsterdam

SELECT * FROM Win32_NTDomain WHERE ClientSiteName = "Amsterdam"

Date and time

It is monday (1=monday, 2=thuesday, etc)

SELECT DayOfWeek FROM Win32_LocalTime WHERE DayOfWeek = 1

It is February (1=Januari, 2=February, etc)

SELECT DayOfWeek FROM Win32_LocalTime WHERE month = 2

Testing WMI filters

You succeeded in creating the WMI filter and applied it to a GPO, but does it work correctly? To test this you can run Group Policy Results in the Group Policy Management Console.

The screen dump shows the WMI filter applied to GPO Dummy having value True, which means that the GPO will be applied.

 

NOTE: You might need to refresh the policies using gpupdate

If you are familiair with Powershell you can check the performance of the WMI filter using the command:

measure-Command {Get-WmiObject -query '[query]'}

 

This post applies to: Windows 2003, Windows 2008, Windows 2012, Windows XP, Windows Vista, Windows 7, Windows 8.

ZEDA.nl

Tips & Tweaks for Windows

Most read:

Ad:

Tools:

EU e-Privacy Directive

This site uses cookies for analytics, advertising and functional purposes. Please accept or decline the use of coockies on this site.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.