WMI Filtering in Windows Group Policy
Apparently, there is a lot of confusion out in the land of the Interwebs among people in the IT community regarding Group Policy in Windows and using WMI Filtering to target Desktop machines.
Being that the Global IT Team and I were attempting to set up new WSUS servers for each of the regions across the world where we have computers that need updating, we wanted to be able to specifically target Desktops, Laptops, DCs, and Member Servers separately, as doing so allows you to apply different policies for each (Keep in mind that this is essentially a new, entirely Windows Server 2016/Windows 10 environment). There are a couple of key things that you'll need to know for the queries in the WMI filters that you'll need. Namely:
"ProductType"
This value will look at the installed operating system on a machine.
1 = Desktop OS
2 = Server OS - Domain Controller
3 = Server OS - Non-Domain Controller
"PCSystemType"
This value will look at the actual hardware type of a machine.
1 = Desktop (Unfortunately, we had servers that were incorrectly being identified as this)
2 = Laptop
3 = Workstation (We have yet to come across any systems that return this value)
Here is a Powershell script which can be run directly on a machine, if you want to know what system type it is reporting as being:
function Get-HardwareType {
<#
.SYNOPSIS
Get-HardwareType is used to determine if a computer is a laptop of desktop.
.DESCRIPTION
Get-HardwareType is used to determine a computer's hardware type of whether or not the
computer is a laptop or a desktop.
#>
$hardwaretype = Get-WmiObject -Class Win32_ComputerSystem -Property PCSystemType
If ($hardwaretype -ne 2)
{
return $true
}
Else
{
return $false
}}
If (Get-HardwareType)
{
"$Env:ComputerName is a Desktop"
}
Else
{
"$Env:ComputerName is a Laptop"
}
After much research and experimentation, this is what wound up working for us:
Domain Controllers
These are the easiest as the computer accounts for your DCs should always actually be located in the built-in "Domain Controllers" OU. Simply attach the policies that you want to apply to that OU. Donezo.
Member Servers
Namespace: root\CIMv2
SELECT * FROM Win32_OperatingSystem WHERE ProductType ='3'
Laptops
Namespace: root\CIMv2
SELECT * FROM Win32_ComputerSystem WHERE PCSystemType = 2
Desktops
This was the trickiest of the three. Some people suggested that you identify a Desktop machine as something that doesn't have a battery, but we have machines in Engineering and Finance with UPSs attached to them which show up in Windows 10 as being a battery. In the end, this was the way to do it:
There are two separate queries here:
SELECT * FROM Win32_ComputerSystem WHERE (PCSystemType = 1) or (PCSystemType = 3)
and
SELECT * FROM Win32_OperatingSystem WHERE (ProductType <> 2) AND (ProductType <> 3)
The first one identifies the hardware as being either a "Desktop" or "Workstation", while the second one identifies the OS as NOT being a Server OS. Again, it had to be done this way since the servers that we tested (on both Hyper-V and VMWare) were showing up as Desktops...
Being that the Global IT Team and I were attempting to set up new WSUS servers for each of the regions across the world where we have computers that need updating, we wanted to be able to specifically target Desktops, Laptops, DCs, and Member Servers separately, as doing so allows you to apply different policies for each (Keep in mind that this is essentially a new, entirely Windows Server 2016/Windows 10 environment). There are a couple of key things that you'll need to know for the queries in the WMI filters that you'll need. Namely:
"ProductType"
This value will look at the installed operating system on a machine.
1 = Desktop OS
2 = Server OS - Domain Controller
3 = Server OS - Non-Domain Controller
"PCSystemType"
This value will look at the actual hardware type of a machine.
1 = Desktop (Unfortunately, we had servers that were incorrectly being identified as this)
2 = Laptop
3 = Workstation (We have yet to come across any systems that return this value)
Here is a Powershell script which can be run directly on a machine, if you want to know what system type it is reporting as being:
function Get-HardwareType {
<#
.SYNOPSIS
Get-HardwareType is used to determine if a computer is a laptop of desktop.
.DESCRIPTION
Get-HardwareType is used to determine a computer's hardware type of whether or not the
computer is a laptop or a desktop.
#>
$hardwaretype = Get-WmiObject -Class Win32_ComputerSystem -Property PCSystemType
If ($hardwaretype -ne 2)
{
return $true
}
Else
{
return $false
}}
If (Get-HardwareType)
{
"$Env:ComputerName is a Desktop"
}
Else
{
"$Env:ComputerName is a Laptop"
}
After much research and experimentation, this is what wound up working for us:
Domain Controllers
These are the easiest as the computer accounts for your DCs should always actually be located in the built-in "Domain Controllers" OU. Simply attach the policies that you want to apply to that OU. Donezo.
Member Servers
Namespace: root\CIMv2
SELECT * FROM Win32_OperatingSystem WHERE ProductType ='3'
Laptops
Namespace: root\CIMv2
SELECT * FROM Win32_ComputerSystem WHERE PCSystemType = 2
Desktops
This was the trickiest of the three. Some people suggested that you identify a Desktop machine as something that doesn't have a battery, but we have machines in Engineering and Finance with UPSs attached to them which show up in Windows 10 as being a battery. In the end, this was the way to do it:
There are two separate queries here:
SELECT * FROM Win32_ComputerSystem WHERE (PCSystemType = 1) or (PCSystemType = 3)
and
SELECT * FROM Win32_OperatingSystem WHERE (ProductType <> 2) AND (ProductType <> 3)
The first one identifies the hardware as being either a "Desktop" or "Workstation", while the second one identifies the OS as NOT being a Server OS. Again, it had to be done this way since the servers that we tested (on both Hyper-V and VMWare) were showing up as Desktops...
That's about it. Happy Group Policy-ing!!!
Comments