{
	"id": "24880d99-bcbb-4686-b679-bb9035529183",
	"created_at": "2026-04-06T03:36:15.028499Z",
	"updated_at": "2026-04-10T03:35:21.48573Z",
	"deleted_at": null,
	"sha1_hash": "cbc6f823be4b2e67a5780e8df15be5585a68e97e",
	"title": "Fun with WMI Filters in Group Policy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 430515,
	"plain_text": "Fun with WMI Filters in Group Policy\r\nBy kexugit\r\nArchived: 2026-04-06 03:17:15 UTC\r\nHi, Ned here again. You may remember Mike Stephens writing about importing and exporting WMI filters back in\r\nMay. A common follow up question we got from that blog post was: “Hey cool. So, uh, what are WMI filters\r\nagain?”\r\nGroup Policy WMI filters were introduced with Windows XP, and are supported in Windows Server 2003,\r\nWindows Vista, and Windows Server 2008. They are not supported in Windows 2000, so if you have an all-2000\r\nenvironment you’re out of luck (10 years is a long time to go without upgrading :-P).\r\nFor those still with us…\r\nYou can use WMI filters to add a decision on when to apply a given group policy. This can be very useful when\r\nusers or computers are located in a relatively flat structure instead of specific OU’s, for example. Filters can also\r\nhelp when you need to apply certain policies based on server roles, operating system version, network\r\nconfiguration, or other criteria. Windows evaluates these filters in the following order of overall Group Policy\r\nProcessing:\r\n1. Policies in hierarchy are located.\r\n2. WMI Filters are checked.\r\n3. Security settings are checked.\r\n4. Finally, once everything has ‘passed’, a policy is applied.\r\nSo we find all the policies that exist in the user/computer’s Local, Site, Domain, and OU hierarchy. Then we\r\ndetermine if the WMI filter evaluates as TRUE. Then we verify that the user/computer has Read and Apply Group\r\npermissions for the GPO. This means that WMI filters are still less efficient than hierarchical linking, but can\r\ndefinitely use filters to make decisions in a non-hierarchical Active Directory design.\r\nYou configure WMI filters using the WMI Filters node in GPMC.MSC.\r\nhttps://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/\r\nPage 1 of 10\n\nFigure 1 – GPMC WMI Filters Node\r\nThen you can create, delete or edit a filter.\r\nFigure 2 – WMI Filter Editor\r\nThen you can link the WMI filter to any GPO you like (or more than one GPO), like below:\r\nhttps://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/\r\nPage 2 of 10\n\nFigure 3 – GPMC Filter Dropdown\r\nSo in this case, I created a filter (you will see more on this below) that allows a GPO to apply to operating systems\r\nearlier than Windows Vista. I linked the WMI filter to a GPO that is applied to Windows Server 2008 computers –\r\nhttps://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/\r\nPage 3 of 10\n\nso the GPO shouldn’t apply. If I force Group Policy processing using GPUPDATE /FORCE then run\r\nGPRESULT /R, I see:\r\nFigure 4 – GPRESULT output\r\nSlick!\r\nWMI filters use a language called WQL, which will be very familiar to anyone that has ever written a SQL query.\r\nThe nice thing about learning WMI queries is that it forces you to learn more about the extremely powerful WMI\r\nsystem as a whole and its massive repository of data within it. WMI works within a construct of Namespaces and\r\nClasses. 99% of every WQL query will operate in the CIMV2 namespace, like all of the examples below.\r\nSo let’s look at some syntax examples:\r\nOnly for certain operating systems\r\nIt is common to want Group Policy objects to apply to a computer using a specific operating system or service\r\npack installed. Here are some examples that cover a few bases:\r\nSELECT Version FROM Win32_OperatingSystem WHERE Version \u003c \"6\"\r\nThe above WQL query returns true for any operating systems older than Vista (so Windows XP and Windows\r\nServer 2003).\r\nSELECT Version FROM Win32_OperatingSystem WHERE Version LIKE \"6.0%\"\r\nThe above WQL query returns true for only Windows Vista or Windows Server 2008 operating systems.\r\nhttps://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/\r\nPage 4 of 10\n\nSELECT Version FROM Win32_OperatingSystem WHERE Version = \"5.1.2600\"\r\nThe above WQL query returns true only if the operating system is Windows XP Service Pack 2.\r\nSELECT * FROM Win32_OperatingSystem WHERE Version LIKE “6.0.%” AND ProductType \u003c\u003e “1”\r\nThe above WQL query returns true only if the computer is running Windows Server 2008 regardless of service\r\npack. Why so complex, you ask? Remember that Windows Server2008 and Vista SP1 share the same codebase, so\r\nthey actually have the same exact version. Choosing a product type not equal to 1 (which is Workstation) returns\r\nonly servers or domain controllers running Windows Server 2008.\r\nOnly on Windows Server 2008 Core servers\r\nWhat if you have a GPO that you want to apply only to servers running Windows Server 2008 Core installations?\r\nHere is a sample query (wrapped for readability, this should be done as a single line in the filter dialog):\r\nSELECT OperatingSystemSKU FROM Win32_OperatingSystem WHERE OperatingSystemSKU = 12 OR\r\nOperatingSystemSKU = 39 OR OperatingSystemSKU= 14 OR OperatingSystemSKU = 41 OR\r\nOperatingSystemSKU = 13 OR OperatingSystemSKU = 40 OR OperatingSystemSKU = 29\r\nThese values map back to HEX values, which map back to:\r\nValue Meaning\r\nPRODUCT_DATACENTER_SERVER_CORE0x0000000C\r\n  \r\nServer Datacenter Edition (core\r\ninstallation)\r\n  \r\nPRODUCT_DATACENTER_SERVER_CORE_V0x00000027\r\n  \r\nServer Datacenter Edition without Hyper-V\r\n(core installation)\r\n  \r\nPRODUCT_ENTERPRISE_SERVER_CORE0x0000000E\r\n  \r\nServer Enterprise Edition (core installation)\r\n  \r\nPRODUCT_ENTERPRISE_SERVER_CORE_V0x00000029\r\n  \r\nServer Enterprise Edition without Hyper-V\r\n(core installation)\r\n  \r\nhttps://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/\r\nPage 5 of 10\n\nPRODUCT_STANDARD_SERVER_CORE0x0000000D\r\n  \r\nServer Standard Edition (core installation)\r\n  \r\nPRODUCT_STANDARD_SERVER_CORE_V0x00000028\r\n  \r\nServer Standard Edition without Hyper-V\r\n(core installation)\r\n  \r\nPRODUCT_WEB_SERVER_CORE0x0000001D\r\n  \r\nWeb Server Edition (core installation)\r\n  \r\nIf you want GPOs to apply only to computers NOT running Windows Server 2008 Core (and you can probably\r\nthink of some reasons to do that), then you would change all the equal signs (=) in the above query to signs above\r\nto angled brackets (\u003c\u003e).\r\n(See https://msdn2.microsoft.com/en-us/library/ms724358.aspx for details and the\r\nnon-CORE values.)\r\nOnly on a certain day of the week\r\nYes this is possible! Yes, customers have asked how to do this! No, I have no idea why! Ok, kidding about that last\r\none, but it sure seems like an odd request at first. It turns out that some companies like to do things like set a\r\nspecific message of the day for their legal notice. Or have a separate screensaver running every day of the week\r\nfor their users. Different strokes for different folks, I suppose.\r\nTo do this, your WQL queries (one filter per GPO that you wanted to set, remember) would be:\r\nSelect DayOfWeek from Win32_LocalTime where DayOfWeek = 1\r\nSelect DayOfWeek from Win32_LocalTime where DayOfWeek = 2\r\nSelect DayOfWeek from Win32_LocalTime where DayOfWeek = 3\r\nYou get the idea. One is Monday, two is Tuesday, etc.\r\nWrapping it up\r\nHopefully you’ve found some new things to think about regarding WMI filters and Group Policy. A closing note:\r\nnot all WMI filters are created equal. Not everything in WMI is as optimized as we’d like it to be, and some WMI\r\nqueries are not as performant as we’d like. Avoid loose wildcard queries when possible as they will run slower (for\r\nexample, Select * from Win32_LocalTime where DayOfWeek = 5 will run slightly slower than the samples\r\nprovided above). And above all, always test before deploying to production, using the slowest hardware you can\r\nfind so that you get a good idea about baseline performance.\r\nGot a filter question or a good sample to share? Hit the comments section below.\r\nhttps://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/\r\nPage 6 of 10\n\n- Ned Pyle\r\nAnonymous\r\nSeptember 11, 2008\r\nGreat post, thanks. I wish you wrote it a bit earlier ;) A couple of months ago I was evaluating Windows\r\nServer Security Guide. Default GPOs from there turn on UAC for user accounts (even administrators).\r\nThat's generally a good thing, but not on Server Core. It's simply unable to display the UAC prompt, so the\r\nuser can never elevate. So I had to find out myself how to filter out the Cores using WMI.\r\nAnonymous\r\nSeptember 11, 2008\r\nThe comment has been removed\r\nAnonymous\r\nSeptember 12, 2008\r\nGroup Policy MVP Darren Mar-Elia had a contest on his mailing list for a tough WMI problem.  The\r\noriginal poster wanted a filter for desktop (no laptops)computers only. A guy named Joel won the contest\r\nwith this nice filter \"Select * from Win32_PhysicalMemory where FormFactor != 12 Returns True on\r\ncomputers that do not have SoDimm form factor memory and False on computers with SoDimm form\r\nfactor memory.  The assumption is that all laptops will have this style memory and desktops will not.\" Very\r\ngood filter that does the job for almost all hardware configs.\r\nAnonymous\r\nSeptember 12, 2008\r\nThe comment has been removed\r\nAnonymous\r\nOctober 01, 2008\r\nAuch das Active Directory Team betreibt ein Blog , dass ich interessant zu lesen finde. Gestolpert\r\ndar\u0026#252;ber\r\nAnonymous\r\nOctober 01, 2008\r\nThis is great! If I need to filter just for non-server OS, will the following work? SELECT ProductType\r\nFROM Win32_OperatingSystem WHERE ProductType \u003c\u003e “1” For WMI filters in general, do they add\r\nmore significant load on domain controllers because the filters are processed at GPO refresh interval?\r\nThank you.\r\nAnonymous\r\nOctober 01, 2008\r\nThe comment has been removed\r\nAnonymous\r\nOctober 07, 2008\r\nhttps://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/\r\nPage 7 of 10\n\nEXCELLENT!  This is real-world useful stuff!  Especially the text to use for certain OS type filters -\r\nKUDOS!\r\nAnonymous\r\nOctober 24, 2008\r\nHey!! So, I have a WMI filter question for you related to above, I have half of it already, thanks. But, I\r\nneed to filter out a Windows 2008 64 bit server, that is not a DC from everything else. I have this so far, but\r\nsomehow my Vista clients still get it, which I really dont want to.  Here is my filter. Select\r\nOSArchitecture,Version,ProductType from Win32_OperatingSystem where (OSArchitecture=\"64-bit\")\r\nAND (Version like \"6.0%\") AND (ProductType=\"3\") Thanks Daniel\r\nAnonymous\r\nOctober 24, 2008\r\nWBEMTEST returns true for that query on my 2008 x64 member server, and returns false on my Vista x64\r\nmachine. Do you get those same results with WBEMTEST? Just do Start, Run, WBEMTEST. Then click\r\nConnect, leave it as rootcimv2, then click Query, and paste in your query as-is, then click Apply. If you get\r\n0 objects returned that is a False, 1 object returned is a True.\r\nAnonymous\r\nNovember 19, 2008\r\nWe’ve been at this for over a year (since August 2007), with more than 100 posts (127 to be exact), so\r\nAnonymous\r\nMarch 06, 2009\r\nFor various reasons, you may want to restrict certain configuration processes to a subset of your\r\nenvironment\r\nAnonymous\r\nMay 15, 2009\r\nJust do Start, Run, WBEMTEST. Then click Connect, leave it as rootcimv2, then click Query, and paste in\r\nyour query as-is, then click Apply. If you get 0 objects returned that is a False, 1 object returned is a True.\r\nAnonymous\r\nMay 28, 2009\r\nI have half of it already, thanks. But, I need to filter out a Windows 2008 64 bit server, that is not a DC\r\nfrom everything else.\r\nAnonymous\r\nMay 28, 2009\r\nThis works for me (will apply to any 64-bit OS non-DC Win2008 server: SELECT\r\nOSArchitecture,ProductType FROM Win32_OperatingSystem WHERE OSArchitecture = \"64-bit\" and\r\nProductType = \"3\" Is that what you're looking for?\r\nAnonymous\r\nAugust 21, 2009\r\nhttps://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/\r\nPage 8 of 10\n\nIt's always interesting to read your articles. I wish I could write as good as you!\r\nAnonymous\r\nAugust 21, 2009\r\nThe comment has been removed\r\nAnonymous\r\nOctober 31, 2009\r\nI must add - for various reasons, you may want to restrict certain a-type configuration processes to a subset\r\nof your virtual environment. This is true in many ways and it's good to keep it in mind.\r\nAnonymous\r\nNovember 30, 2009\r\nI need a WMI Query (Filter) for IIS 6 or above, any Idea what class I should use?\r\nAnonymous\r\nNovember 30, 2009\r\nHi Yoels, Interesting problem. Here's one way to do it, you can explore the theme here. Make sure you test\r\non Win2003 and later, as I only tested on Win2008. Also, make sure you use the double backslashes like I\r\ndid below: SELECT Version FROM CIM_DataFile WHERE Name =\r\n\"c:\\windows\\system32\\inetsrv\\iisres.dll\" AND Version \u003e= \"6\" This will see if the IISRES.DLL that IIS\r\nuses is installed and if it's version is equal to or greater than 6. Let me know if that works for you. I must\r\npoint out that IIS 5.0 only exists on Win2000 though, and since you cannot use WMI filters on Win2000,\r\nthe version is rather moot. This would be more useful to see if it was IIS 7 or higher, for example.\r\nAnonymous\r\nJanuary 18, 2010\r\nThe comment has been removed\r\nAnonymous\r\nJanuary 18, 2010\r\nThe comment has been removed\r\nAnonymous\r\nJanuary 18, 2010\r\nThe comment has been removed\r\nAnonymous\r\nMay 10, 2010\r\nThis works when the systemroot is installed on SELECT Version FROM CIM_DataFile WHERE Name =\r\n\"c:\\windows\\system32\\inetsrv\\iisres.dll\" AND Version \u003e= \"6\" But in our environment we also have servers\r\nwith the sýstemroot installed on D:. We have 2000 IIS with the systemroot installed on C: or D:.\r\nAnonymous\r\nJuly 03, 2010\r\nhttps://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/\r\nPage 9 of 10\n\nCheck out my blog post that includes Windows 7 and server 2008 R2: derek858.blogspot.com/.../wmi-gpo-filters-for-operating-system.html\r\nAnonymous\r\nSeptember 18, 2014\r\nFun with WMI Filters in Group Policy - Ask the Directory Services Team - Site Home - TechNet Blogs\r\nAnonymous\r\nSeptember 22, 2014\r\nFun with WMI Filters in Group Policy - Ask the Directory Services Team - Site Home - TechNet Blogs\r\nAnonymous\r\nOctober 06, 2014\r\nFun with WMI Filters in Group Policy - Ask the Directory Services Team - Site Home - TechNet Blogs\r\nAnonymous\r\nOctober 26, 2014\r\nFun with WMI Filters in Group Policy - Ask the Directory Services Team - Site Home - TechNet Blogs\r\nAnonymous\r\nOctober 31, 2014\r\nFun with WMI Filters in Group Policy - Ask the Directory Services Team - Site Home - TechNet Blogs\r\nAnonymous\r\nSeptember 09, 2015\r\nHey, is it possible using WMI filtering to restrict the ntuser to login one at a time?\r\nSource: https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/\r\nhttps://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/\r\nPage 10 of 10\n\n https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/      \nFigure 3-GPMC Filter Dropdown      \nSo in this case, I created a filter (you will see more on this below) that allows a GPO to apply to operating systems\nearlier than Windows Vista. I linked the WMI filter to a GPO that is applied to Windows Server 2008 computers \n   Page 3 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/"
	],
	"report_names": [
		"fun-with-wmi-filters-in-group-policy"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775446575,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cbc6f823be4b2e67a5780e8df15be5585a68e97e.pdf",
		"text": "https://archive.orkl.eu/cbc6f823be4b2e67a5780e8df15be5585a68e97e.txt",
		"img": "https://archive.orkl.eu/cbc6f823be4b2e67a5780e8df15be5585a68e97e.jpg"
	}
}