Active Directory – Create a WMI filter on GPO for your OS

When you want to apply GPO group policies, these apply to all objects in your OU (Organizational Units).

WMI filters allow these policies to be applied only to a type of OS, a type of server or architecture … according to the criteria we will have defined.



Always test your Group Policies and WMI filters before deploying

To create a filter adapted to your needs, it is necessary to know the system version number to which you want to apply it. This version number is obtained by opening a “cmd” prompt console from the server or computer.

 In our case, we use a 6.3.XXXX version.


Then you need to know the “ProductType” of your machine. Nothing complicated, here is some information to determine it :

Information for Desktop versions

  • Windows XP : 5.1
  • Windows XP 64 bits : 5.2
  • Windows Vista : 6.0
  • Windows 7 : 6.1
  • Windows 8 : 6.2
  • Windows 8.1 : 6.3
  • Windows 10 : 10.0

Information for Server versions

The value is “1” for client systems (Windows 7, Windows 8, Windows 10 …) The value is “2” or “3” for servers :

  • Value “2”: Domain Controller Servers
  • Value “3”: The other servers



Create the WMI filter

From the Server Manager window, select Tools and then Group Policy Management.


Go to WMI Filters. Right click on the window on the right, then New … to create a new filter.


Fill in the requested information :

  • Name : Name of your filter
  • Description : Filter description
  • Queries :
    • In Namespace, leave root\CIMv2
    • In query, fill in your query, depending on the system versions

In our example, we will apply a filter to versions of Windows Server 2012 R2, which are not domain controllers.

The query is : SELECT * from Win32_OperatingSystem WHERE LIKE Version “6.3%” and ProductType = “3”


Complete the configuration by selecting the Save button.


Apply the WMI filter

Now that the filter is created, we will be able to create our GPO, and apply the filter to it.

Position yourself on the desired OU. Right click on it, then Create a GPO in this domain, and link it here …


In this tutorial, we’ll call this one ControlPanelDisable


Once created, I advise you to add the previously created WMI filter, before adding your strategies

On your GPO, press the Open button to select your WMI filter


Now, add the group policies to apply. For this example, we decide to deny access to the control panel


Log in to your Windows Server 2012 R2 Server. Force group Policy update with the command :

gpupdate /force


When  launching the control panel, an error message appears. Access is blocked for this server.


To verify the proper functioning of the actions taken, log on to another version of Windows. Perform the gpupdate /force command again.

We find that the control panel opens correctly.

To view applied group policies, use gpresult /r command.

You may notice that Policy is not enforced because it is filtered by your WMI filter

Please follow and like us:
Microsoft engineer and Virtualization, I am at first computer-savvy. I share my time between this website, my engineering job and an intense sporting activity.