How to configure WMI filters for Group Policy to better manage your Windows clients

Admins tasked with managing Windows clients of all sizes have long known the virtues of implementing Group Policy to manage software and security settings to lock down devices on corporate networks. The flexibility of being able to centrally manage clients by applying policies to devices joined to an Active Directory (AD) domain allows IT pros to get as holistic or granular in their management of devices as necessary.

Due to their intertwined nature, much of the how, when, and why policies get applied will depend on the design structure of the AD schema and how devices are stored within the organizational units. However, despite our best efforts, admins at one time or another encounter scenarios that require a setup that the existing design structure does not allow for. Other times-such as in larger forests-policies may only need to be deployed to all devices that meet specific requirements with others that do not meet these requirements, effectively ignoring such a policy.

For instances such as these, or those that require a bit more granularity when deploying to targeted systems or groups of systems, a Windows Management Instrumentation (WMI) filter will be your best choice. By creating a customized filter and assigning it to one or more policies, this will ensure that the respective policies will only act upon devices meeting the criteria expressly stipulated in the filter-regardless of where that policy is linked within the hierarchy.

SEE: How to choose between Windows, macOS, and Linux (free PDF) (TechRepublic)

Below I've illustrated a few scenarios where WMI filters serve as an effective manner with which to deploy a policy to a targeted group of devices with minimal administrative effort. Additionally, once WMI filters have been created, they can be accessed and reused as needed.

Requirements for creating our custom filters

Server running Windows Server 2008 R2 or later and the following roles:

How to create a filter that targets 64-bit OSs only

6. Click the OK button to save the query, then click the Save button to save the filter.

How to create a filter that targets Server OSs only

1. Follow steps 1-4 for creating a filter that targets 64-bit OSs only (above). Enter the following query:

2. Click the OK button to save the query, then click the Save button to save the filter.

How to create a filter that targets a specific make/model computer only

1. Follow steps 1-4 in the previous section. Enter the following query:

2. Click the OK button to save the query, then click the Save button to save the filter.

How to apply WMI filters to Group Policy Objects (GPOs)

Once you get the hang of creating filters and applying them to perform specific tasks on targeted systems, you can begin to link and chain WMI queries together to form granular filters that drill down to specific devices for nearly endless management scoping capabilities.

Also see