When you want to apply GPO group policies, these apply to all objects in your OU (Organizational Units).
WMI filters allow these policies to be applied only to a type of OS, a type of server or architecture … according to the criteria we will have defined.
Prerequisite
Always test your Group Policies and WMI filters before deploying
To create a filter adapted to your needs, it is necessary to know the system version number to which you want to apply it. This version number is obtained by opening a “cmd” prompt console from the server or computer.
In our case, we use a 6.3.XXXX version.
Then you need to know the “ProductType” of your machine. Nothing complicated, here is some information to determine it :
Information for Desktop versions
- Windows XP : 5.1
- Windows XP 64 bits : 5.2
- Windows Vista : 6.0
- Windows 7 : 6.1
- Windows 8 : 6.2
- Windows 8.1 : 6.3
- Windows 10 : 10.0
Information for Server versions
The value is “1” for client systems (Windows 7, Windows 8, Windows 10 …) The value is “2” or “3” for servers :
- Value “2”: Domain Controller Servers
- Value “3”: The other servers
Procedure
Create the WMI filter
From the Server Manager window, select Tools and then Group Policy Management.
Go to WMI Filters. Right click on the window on the right, then New … to create a new filter.
Fill in the requested information :
- Name : Name of your filter
- Description : Filter description
- Queries :
- In Namespace, leave root\CIMv2
- In query, fill in your query, depending on the system versions
In our example, we will apply a filter to versions of Windows Server 2012 R2, which are not domain controllers.
The query is : SELECT * from Win32_OperatingSystem WHERE LIKE Version “6.3%” and ProductType = “3”
Complete the configuration by selecting the Save button.
Apply the WMI filter
Now that the filter is created, we will be able to create our GPO, and apply the filter to it.
Position yourself on the desired OU. Right click on it, then Create a GPO in this domain, and link it here …
In this tutorial, we’ll call this one ControlPanelDisable
Once created, I advise you to add the previously created WMI filter, before adding your strategies
On your GPO, press the Open button to select your WMI filter
Now, add the group policies to apply. For this example, we decide to deny access to the control panel
Log in to your Windows Server 2012 R2 Server. Force group Policy update with the command :
gpupdate /force
When launching the control panel, an error message appears. Access is blocked for this server.
To verify the proper functioning of the actions taken, log on to another version of Windows. Perform the gpupdate /force command again.
We find that the control panel opens correctly.
To view applied group policies, use gpresult /r command.
You may notice that Policy is not enforced because it is filtered by your WMI filter
