Typically, group policy filtering using WMI (Windows Management Instrumentation) can be used when multiple domain objects (users or computers) are located in the flat AD structure instead of the separate OU, or if you need to apply group policies, according to the OS version, network settings, installed software or any other criteria that can be selected using WMI. When the client processes such a group policy, Windows will check its state for compliance with the specified WMI query, and if the filter conditions are met, the GPO will be applied to this computer.

To create a new WMI filter, open the Group Policy Management console (gpmc.msc and go to Forest -> Domains -> woshub.com -> WMI Filters. This section contains all WMI filters in the AD domain. Create a new WMI filter (New).

Create a WMI filter for your GPO to select Server or Client system

After you have created a WMI filter, you can link it to a specific GPO. Find the desired policy in the GPMC console and on the Scope tab, in the WMI Filtering section drop-down list, select your WMI filter. In this example, I want to apply the printer assignment policy only to computers running Windows 10.

Another example of using a WMI filter for targeting GPO to IP subnets is described in the article Use WMI Filter to Apply GPO to IP Subnet. For example, to apply a policy to clients in the multiple IP subnets, use the WMI query:

You can use the PowerShell to test WMI filters on a computer. Suppose you have written a complex WMI query and want to check if the computer matches this query or not. For example, you created a WMI filter to check for the IE 11 on a computer. You can test this WMI query on the target computer using the get-wmiobject cmdlet:get-wmiobject -query 'SELECT * FROM CIM_DataFile WHERE path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version LIKE "11.%"'

For example, you may want to apply certain settings to all your servers on the domain level without having your workstations to apply those settings. One very simple example is the Windows Updates settings. You may want to configure all your servers to check for new updates from your WSUS, and download these updates locally but do not install them until an administrator connects to that computer and manually install them. On the other hand, you may want to configure all your workstations to automatically download and install the updates from WSUS.

You should be familiar with WMI in order understand and to successfully create and apply your WMI filter. The Win32_ComputerSystem Class on MSDN -us/library/aa394102(VS.85).aspx contains all the information we need to create the WMI filter. We need the following table In particular:

Click OK then Save. This filter will select any computer that has either 0 or 1 as a value of the DomainRole, thus our GPO will only apply to workstations. We need to apply this filter to a GPO. Navigate and select any GPO of your choice (the WSUS for example), on the SCOPE tab, on the bottom of the page, under WMI filtering, select your WMI filter from the combo box. This will link the WMI filter to your policy. You can then link your polity to any OU of your choice!

To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.

In the Name text box, type the name of the WMI filter. Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention.

To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 and Windows 11 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.

The following complete query returns true for all devices running Windows 10 and Windows 11, and returns false for any server operating system or any other client operating system.

Specific versions of Windows 10 can be targeted by including the major build version in the query. The following query returns true for all devices running Windows 10 20H2 (which has a major build version of 19042), and returns false for any server operating system or any other client operating system. Additional information about Windows 10 build versions can be found at Windows 10 release information.

After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs.

If a specific policy parameter is not applied on a client, check your GPO scope. If you configure the setting in the Computer Configuration section, your Group Policy must be linked to an OU with computer objects. The same is true if you set your parameters in the User configuration section.

You can use special WMI filters in the GPO. This allows applying a policy to your computers based on some WMI query. For example, you can create a GPO WMI filter to apply a policy only to computers with the specific Windows version, to computers in the specific IP subnet, to laptops only, etc.

When using Group Policy WMI filtering, make sure that your WMI query is correct. It should select only the devices you need and your target computers are not excluded. You can test your WMI filter on any computer using PowerShell:

Say you have a group policy that maps printers and drive shares tied to a user. You created that GPO to assist the user when they log onto workstations. That user, however, also logs onto servers. You do not want that GPO to apply when the user logs onto the server. To fix that issue, you would use WMI filtering.

In the Active Directory domain environment, you apply a Windows Management Instrumentation (WMI) filter to a Group Policy object (GPO). If a client computer is running Windows 7 or Windows Server 2008 R2, then the GPO does not take effect on this computer.

In this scenario, you notice that the drive is not mapped.The WMI Query filter in Item-level Targeting always runs in the system context, as same as the WMI filter linked to the GPO. Its result may be different from the result received after you manually execute the same WMI Query by using test applications such as the Windows Management Instrumentation Tester (WBEMTest.exe) utility.For more information about how to create the WMI filters, visit the following Web site:

WMI Filters allow you to select only computers that meet your chosen criteria. Naturally, your Group Policy will only apply to the objects that match your filter. For example, you want to assign an .MSI package, however you are worried that disks on the XP workstations are full. The answer is design and build a WMI filter.

A WMI filter consists a query that is checked against the WMI data on the target machine, the answer is always true or false. Technically, you have created a separate object from the GPO in the directory. To apply it to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one WMI filter; however the same WMI filter can be linked to multiple GPOs.

Note that these WMI filters only work on Windows XP and later operating systems. Incidentally, Windows 2000 and earlier clients just ignore any WMI filter and the GPO is always applied to all objects. In effect it means that for these old clients the criteria are always true so there is no filtering.

During our Windows 7 rollout it was necessary to apply some specific registry settings to the new Windows 7 machines without affecting the legacy Windows XP clients. This can easily be done by creating a WMI filter in the Group Policy Management Console and applying it to the relevant GPO.

Have you ever wanted to separate your Active Directory Group Policies from each other based on criteria such as target operating system? Well you are in luck! With some very simple WMI filters you can do exactly that.

The first policy we will create is one for Windows Server 2008. I do not need to differentiate between editions (Standard, Enterprise, Web) or chip architecture (x86 or x64) so my filter query will be for any version of Windows Server 2008.

Windows Management Instrumentation (WMI) filters is another method that we can use to filter the group policy target. This method is only can use to filter the computer objects and it based on computer attribute values. As an example, WMI filters can use to filter out different operating system versions, processor architecture (32bit/64bit), Windows server roles, Registry settings, Event id etc. WMI filters will run against WMI data of the computers and decide if it should apply policy or not. If its match the WMI query it will process the group policy and if its false it will not process the group policy. This method was first introduced with windows server 2003.

By clicking on Add button we can define the Namespace and WMI query. As an example, I have created a WMI query to filter out windows 10 operating system runs 32-bit version.

Once WMI Filter is created, it need to attach to the GPO. To do that Go to GPMC and select the required GPO. Then under the WMI Filtering section, select the required WMI filter from the drop down box. 2ff7e9595c