Using WMI Filters in Group Policy

When setting up WMI filters in Group policy it’s important to be able to test them correctly before applying them to the policy. There are a few ways of doing this with CMD, a powershell console or wbemtest

I will only cover Powershell in this article. With powershell you can use the following cmdlet Get-WmiObject (Alias. gwmi)

For Example: You can use a syntax like the following to read the computer information of a remote server

Get-WmiObject -Computer ExampleServer01 -Namespace "root/cimv2" -Query "select * from Win32_ComputerSystem"
The results will be something like this: 

Domain              : testdomain.net
Manufacturer        : VMware, Inc.
Model               : VMware Virtual Platform
Name                : ExampleServer01
PrimaryOwnerName    : Windows User
TotalPhysicalMemory : 8589398016

These WMI classes store various bits of info about the machine. The hardest part can be identifying which class contains the properties you are looking for. 

From Powershell you can use this command  to identify all the classes that start with Win32  on a given machine.

Get-CimClass -Namespace root/CIMV2 | Where-Object CimClassName -like Win32* | Select-Object CimClassName

#or 

Get-WmiObject -List | Where-Object Name -like Win32* | Select-Object Name

#Or remotely with 

Get-CimClass -Namespace root/CIMV2 -ComputerName ExampleServer01 | Where-Object CimClassName -like Win32*

One last thing to point out is that Get-CimInstance is seen as the successor to Get-WmiObject. Although Get-CimInstance does provide some advantages for using PowerShell Remoting, due to it’s default remote connectivity protocol, Get-WmiObject is sometimes easier to use.

Get-WmiObject uses DCOM to communicate with remote computers and is also usually available as well. Otherwise, you’ll need to enable PowerShell Remoting on remote endpoints when wanting to use Get-CimInstance via WSMAN.

When you start to use more complex queries with brackets for example, you will find that the double quotations will cause a problem and the query will not be complete. In these cases you need to use backticks or back quotes to handle these queries. 

For example – Selecting all servers with a Server 2019 OS

Get-WmiObject -Namespace "root/cimv2" -Query ‘SELECT * FROM Win32_OperatingSystem WHERE (Name LIKE "%Server 2019%")‘

Alternatively for some examples like this you can rewrite to not use brackets 

Get-WmiObject -Namespace "root/cimv2" -Query "SELECT * FROM Win32_OperatingSystem WHERE Name like '%Server 2019%'"

The queries are a standard SQL. Once you’ve spent some time exploring the different classes you’ll want to expand the properties to see what’s available. Luckly, this is simply a matter of selecting the properties.

For example.

Get-WmiObject -Class Win32_OperatingSystem | Select-Object -Property *

This will provide you with all the available properties for this class and provide you with the information you need to write your select statement. 

Once you’ve created you new group policy and added the query as a WMI filter. You can also run gpresult on machine you apply the policy to, in order to see that it was successfully applied

gpresult /r /scope:computer

For more information about Get-WmiObject see – This Microsoft Link 

You May Also Like

About the Author: Phil

Leave a Reply

Your email address will not be published. Required fields are marked *