Have you been trying to apply group policies to only certain versions of windows without applying that policy to all of your computers/servers that don’t match what the policy is meant for? WMI Filtering your Group Policy is the answer for this.
Here are some examples of what types of devices you need to filter for:
Desktop OS / Server OS
Domain Controller / Non-domain Controller
32-bit / 64-bit
The WMI filter uses a query to determine if the policy applies to the machine.
Quick Example:
Below is an example of a WMI OS Filter query:
SELECT * FROM Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1" AND OSArchitecture = "64-bit"
Query Options:
There are many combinations you can make to achieve the filtering you are looking for. I will breakdown each section below explaining what variables are available.
Product Type options:
1 = Desktop Operating Systems like Windows XP, 7, 8, etc…
2 = Server Operating Systems that ARE domain controllers
3 = Server Operating Systems that ARE NOT domain controllers (in other words Member Servers)
Version options:
5.1 = Windows XP (yikes!)
5.2 = Windows 2003 (You should look into upgrading your system!)
5.2.3 = Windows 2003 R2 (Read above!)
6.0 = Windows Vista (Upgrade, Upgrade) or Windows Server 2008 (safe zone here!)
6.1 = Windows 7 or Windows Server 2008 R2 (Both are now End of Support, you should Upgrade!)
6.2 = Windows 8 or Windows Server 2012
6.3 = Windows 8.1 or Windows Server 2012 R2
10.0 = Windows 10 or Windows Server 2016/2019
Now I’ve read a lot of forums saying that the query for Windows 10 is tricky due to how the queries get evaluated. The one that I put together and tested appears to be working, I’m getting a true status on my Windows 10 machine and the Group Policy that is using that filter is being applied. So I’m not sure what problems the other people were running into. But now on to some examples of queries based on common machine configurations.
NOTE: you should always test your Group Policy on your OU to make sure you are achieving the correct results. Once you’ve confirmed that the Group Policy functions the way you are expecting it then you can continue to building the WMI filter as shown below.
Desktop OS Examples:
If you wanted to match ANY Windows Desktop OS that is 64-bit:
SELECT * FROM Win32_OperatingSystem WHERE ProductType = "1" AND OSArchitecture = "64-bit"
If you wanted to match Windows XP that is 32-bit:
SELECT * FROM Win32_OperatingSystem WHERE (Version like "5.1%" or Version like "5.2%") AND ProductType="1" AND NOT OSArchitecture = "64-bit"
If you wanted to match Windows 7 that is 64-bit:
SELECT * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1" AND OSArchitecture = "64-bit"
If you wanted to match Windows 10 that is 64-bit:
SELECT * from Win32_OperatingSystem WHERE Version like "10.0%" AND ProductType="1" AND OSArchitecture = "64-bit"
Hopefully you are catching on at how these are built based on what you are trying to filter for!
Server OS Examples:
If you wanted to match ANY Windows Server OS that is 64-bit and is either a Domain Controller OR Member server:
SELECT * FROM Win32_OperatingSystem WHERE (ProductType = "2") OR (ProductType = "3") AND OSArchitecture = "64-bit"
If you wanted your query to match Windows Server 2012 R2 that is 64-bit and is a Domain Controller:
SELECT * FROM Win32_OperatingSystem WHERE Version like "6.3%" AND (ProductType = "2") AND OSArchitecture = "64-bit"
If you wanted your query to match Windows Server 2016/2019 that is 64-bit and is a Domain Controller:
SELECT * FROM Win32_OperatingSystem WHERE Version like "10.0%" AND (ProductType = "2") AND OSArchitecture = "64-bit"