Applying WMI Filters

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use WMI filters to control the application of GPOs. Each GPO can be linked to one WMI filter, however, the same WMI filter can be linked to multiple GPOs. Before you can link a WMI filter to a GPO, you must create the filter. The WMI filter is evaluated on the destination computer (running either Windows XP or Windows Server 2003) during processing of Group Policy. The GPO will only apply if the WMI filter evaluates to TRUE. On Windows 2000–based computers, the WMI filter is ignored and the GPO is always applied.

Using GPMC, you can perform the following operations for WMI filters: create and delete, link and unlink, copy and paste, import and export, and view and edit attributes.

WMI filters can only be used if at least one domain controller in the domain is running Windows Server 2003, or if you have run ADPrep with the /Domainprep option in that domain. If not, the WMI Filtering section on the Scope tab for GPOs and the WMI Filters container under the domain will not be present. See Figure 2.6 to help you identify the items discussed in this section.

Figure 2.6   GPMC TabScope

GPMC <B>Scope</B> Tab

Setting WMI Filtering Options

WMI exposes management data from a destination computer, such as hardware and software inventory, settings, and configuration information, including data from the registry, drivers, the file system, Active Directory, SNMP, Windows Installer, and networking. Administrators can create WMI filters, which consist of one or more queries based on this data — to control whether the GPO is applied. The filter is evaluated on the destination computer (which must be running either Windows XP Professional or Windows Server 2003). If the WMI filter evaluates to true, the GPO is applied to that destination computer; if the filter evaluates to false, the GPO is not applied. On Windows 2000–based client or server targets, WMI filters are ignored, and the GPO is always applied. In the absence of any WMI Filter, the GPO is always applied.

Administrators can use WMI filters to target Group Policy based on a variety of objects and other parameters. Table 2.2 illustrates example query criteria that might be specified for WMI filters.

Table 2.2   Sample WMI Filters

WMI Data Queried Sample Query Criteria


Computers with the DHCP service running


Computers that have a specified registry key or entry populated

Windows Event Log

Computers that reported an audit event in the last five minutes

Operating system version

Computers running Windows Server 2003 and later

Hardware inventory

Computers with a Pentium III processor

Hardware configuration

Computers with network adapters on in level 3

Service associations

Computers that have any service dependent on SNA service


Computers that can ping Server1 in less than 100 milliseconds

A WMI filter consists of one or more WMI Query Language (WQL) queries. The WMI filter applies to every setting in the GPO, so administrators must create separate GPOs if they have different filtering requirements for different settings. The WMI filters are evaluated on the destination computer after the list of potential GPOs is determined and filtered based on security group membership. For detailed information about WMI filters, see the Windows Security Collection in the Windows Server 2003 Technical Reference on the Web (

Although you can do limited inventory-based targeting for software deployment by combining Group Policy-based software deployment with WMI filters, this is not recommended as a general practice for the following reasons:

  • Each GPO can only have one WMI Filter. If applications have different inventory requirements, you need multiple WMI filters and therefore multiple GPOs. Increasing the number of GPOs impacts startup and logon times and also increases management overhead.

  • WMI filters can take significant time to evaluate, so they can slow down logon and startup time. The amount of time depends on the construction of the query.


  • It is recommended that you use WMI filters primarily for exception management. They can be powerful solutions for targeting GPOs to specific users and computers, but because WMI filters are evaluated every time Group Policy is processed, they increase startup and logon time. Also, there is no time-out for WMI filters. Use them only when necessary.

Example WMI Filters

WMI filters are most useful as tools for exception management. By filtering for particular criteria, you can target particular GPOs to only specific users and computers. The following are WMI filters that illustrate this technique.

Targeting Based on Operating System

In this example, an administrator wants to deploy an enterprise monitoring policy, but wants to target only Windows XP Professional–based computers. The administrator can create a WMI filter such as the following:

Select * from Win32_OperatingSystem where Caption = " Microsoft Windows XP Professional"

Most WMI filters use the Root\CimV2 namespace, and this option is populated by default in the GPMC user interface.

Because WMI filters are ignored on Windows 2000-based computers, a filtered GPO will always be applied on them. However, you can work around this by using two GPOs and giving the one with Windows 2000 settings higher precedence (using link order). Then use a WMI filter for that Windows 2000 GPO, and only apply it if the operating system is Windows 2000, not Windows XP Professional. The Windows 2000-based computer will receive the Windows 2000 GPO and will override the settings in the Windows XP Professional GPO. The Windows XP Professional client will receive all the settings in the Windows XP Professional GPO.

Targeting Based on Hardware Inventory

In this example, an administrator wants to distribute a new network connection manager tool only to desktops that have modems. The administrator can deploy the package by using the following WMI filter to target those desktops:

Select * from Win32_POTSModem Where Name = " MyModem"

If you use Group Policy with a WMI filter, remember that the WMI filter applies to all settings in the GPO. If you have different requirements for different deployments, you need to use different GPOs, each with its own WMI filter.

Targeting Based on Configuration

In this example, an administrator does not want to apply a GPO on computers that have multicasting turned on. The administrator can use the following filter to identify those computers which have multicast support:

Select * from Win32_NetworkProtocol where SupportsMulticasting = true

Targeting Based on Amount of Disk Space and File System Type

In this example, an administrator wants to target computers that have more than 10 megabytes (MB) of available space on the C, D, or E partition. The partitions must be located on one or more local fixed disks and they must be running the NTFS file system. The administrator can use the following filter to identify computers that meet these criteria:

SELECT * FROM Win32_LogicalDisk WHERE (Name = " C:"  OR Name = " D:"  OR Name = " E:" ) AND DriveType = 3 AND FreeSpace > 10485760 AND FileSystem = " NTFS"

In the preceding example, DriveType value = 3 represents a local disk and FreeSpace units are in Bytes (10 MB = 10,485,760 Bytes).

To Create a WMI Filter

  1. In the GPMC console tree, right-click WMI Filters in the forest and domain in which you want to add a WMI filter.

  2. Click New.

  3. In the New WMI Filter dialog box, type a name for the new WMI Filter in the Name box, and then type a description of the filter in the Description box.

  4. Click Add.

  5. In the WMI Query dialog box, either leave the default namespace (root\CIMv2) or enter another namespace by doing one of the following:

    • In the Namespace box, type the name of the namespace that you want to use for the WMI query. The default is Root\CimV2. In most cases, you do not need to change this.

    • Click Browse, select a namespace from the list, and then click OK.

  6. Type a WMI query in the Query box, and then click OK.

  7. To add more queries, repeat steps 4 through 6 to add each query.

  8. After you add all the queries, click Save.

The WMI filter is now available to be linked.