none
need your advice on AGPM

    Question

  • Hi all,

    We have one policy with WMI filter listed in AGPM.  Will WMI filter shows up when I ran a html report?

    Thank you.

    Tuesday, March 22, 2016 6:01 PM

Answers

  • Hi,
     
    Am 24.03.2016 um 14:19 schrieb John JY:
    > We have one controlled group policy which had WMI filter linked when it
    > was created from history in APGM; But, later, WMI filter was not there
    > when it was deployed in APGM.
     
    If it has a WMI when moving from uncontrolled to controlled, then it
    will have a WMI at deploy aswell. Why?
    Because the edited GPO will be imported into the production GPO, it will
    override all GP settings /inside/, but the WMI is not part of the GP
    Backup/Restore information.
    For WMI, there will be no information imported/restored and therefor
    there will be nothing overwritten, when deploy settings.
    The state of WMI stays like it is and like it was before.
     
    If it has no WMI, after deploying it again, it only seems to depend on
    the deploynemt, but in fact the WMI was removed manually from someone
    /before/. You only mention it after deploying settings.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by John JY Thursday, March 24, 2016 3:28 PM
    Thursday, March 24, 2016 2:59 PM
  • Hi,
     
    Am 25.03.2016 um 16:19 schrieb John JY:
    > Does it mean from above that WMI filter will not shown in APGM after
    > deploying?
     
    It means WMI Filter on that specific GPO stays like it is set by native
    GPMC, no matter if AGPM Client is installed or not.
     
    - if there was a filter, it is still there, the data is untouched
    - if the link is removed in GPMC, AGPM does not restore it, when
    deploying GPO again
     
    In my tests, WMI was completly untouched by AGPM. Within Change Control
    of AGPM, you only get information about WMI, when creating a report.
     
    Control GPOs -> AGPM Change Control
    Control WMI  -> native GPMC
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by John JY Friday, March 25, 2016 6:33 PM
    Friday, March 25, 2016 3:59 PM

All replies

  • Hi,

    Thanks for your post.

    Would you please help to describe more details about your question? If you mean GPResult report, then the answer is yes. Please see the screenshot below:

    Article for your reference:

    WMI filtering using GPMC

    https://technet.microsoft.com/en-us/library/cc779036(v=ws.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 23, 2016 5:35 AM
    Moderator
  • Hi,
     
    Am 22.03.2016 um 19:01 schrieb John JY:
    > Will WMI filter shows up when I ran a html report?
     
    The question is just 5 minutes and a few clicks from answering ...
     
    What will happen, if you just give it a go?
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Wednesday, March 23, 2016 8:07 AM
  • Thanks for your help.


    In AGPM, if the policy is configured to use WMI filter, I create the HTML report from AGPM and the WMI filter should be included if configured.  Right?

    I asked this question is due to https://social.technet.microsoft.com/Forums/windowsserver/en-US/6cab1e29-75e6-4a2f-96b7-0963ab011759/can-agpm-manage-wmi-filters-a-gpo-uses?forum=winserverGP

    >I found out from my own research AGPM does not manage WMI filters. from the above the link

    Can anyone help what "AGPM does not manage WMI filters" is supposed to mean?

    Thank you!

    Wednesday, March 23, 2016 1:46 PM
  • Am 23.03.2016 um 14:46 schrieb John JY:
    > Can anyone help what "AGPM does not manage WMI filters" is supposed to mean?
     
    It means, that WMI filtering still need to be done with GPMC and not
    within "Change Control".
     
    WMI Filter are only linked to GPOs, like GPOs are only linked to OUs.
    If you backup and restore a GPO, WMI Filtering is not part of the GPO
    and therefor not part of your backup/restore.
     
    If you delete a WMI filter and restore the GPO, if will not restore the WMI.
     
    AGPM can handle GPObjects, but it doesn´t handle WMI.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Wednesday, March 23, 2016 3:06 PM
  • Thanks Mark.

    We have one controlled group policy which had WMI filter linked when it was created from history in APGM; But, later, WMI filter was not there when it was deployed in APGM.  We tried to figure out who removed that WMI filter from the GP.  If that GP has WMI filter linked, the WMI filter should be linked after GP is deployed. Right?  That means the person removed WMI filter from the GP when deploying?

    Thank you for your help. 


    • Edited by John JY Thursday, March 24, 2016 1:20 PM
    Thursday, March 24, 2016 1:19 PM
  • Hi,
     
    Am 24.03.2016 um 14:19 schrieb John JY:
    > We have one controlled group policy which had WMI filter linked when it
    > was created from history in APGM; But, later, WMI filter was not there
    > when it was deployed in APGM.
     
    If it has a WMI when moving from uncontrolled to controlled, then it
    will have a WMI at deploy aswell. Why?
    Because the edited GPO will be imported into the production GPO, it will
    override all GP settings /inside/, but the WMI is not part of the GP
    Backup/Restore information.
    For WMI, there will be no information imported/restored and therefor
    there will be nothing overwritten, when deploy settings.
    The state of WMI stays like it is and like it was before.
     
    If it has no WMI, after deploying it again, it only seems to depend on
    the deploynemt, but in fact the WMI was removed manually from someone
    /before/. You only mention it after deploying settings.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by John JY Thursday, March 24, 2016 3:28 PM
    Thursday, March 24, 2016 2:59 PM
  • Am 24.03.2016 um 15:59 schrieb Mark Heitbrink [MVP]:
    > For WMI, there will be no information imported/restored and therefor
    > there will be nothing overwritten, when deploy settings.
     
    Sorry, thats wrong :-)
     
    Take a look inside backup.xml, of any backuped GPO with a WMI Filter and
    you will find something like this:
     
    <WMIFilter>
    <![CDATA[MSFT_SomFilter.ID="{015BB6F0-0E40-4D12-9959-835967C0668B}",Domain="your.dom"]]>
    </WMIFilter>
     
    The link of the WMI is stored, but it will not be restored when
    deploying it again by AGPM. The GPMC will do.
     
    Wired, never mentioned that.
     
    Why?
    I think it´s all about delegation and permissions. WMI is stored in a ,
    different path than GPO. If you delegate permissions for GPO you will
    not delegate control on WMI. WMI is still a domain admin task, not a
    GPAdmin thing.
     
    If the "leader of WMI" decides to change WMI and its linking, the
    GPAdmin is not allowed to change it and I think this is the reason, why
    AGPM does not restore WMI, even if they are technical allowed to write
    gPCWQLFilter attribute on the GPO.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Friday, March 25, 2016 8:14 AM
  • Hi Mark,

    Great appreciate your help and explanation.

    >the link of the WMI is stored, but it will not be restored when
    >deploying it again by AGPM. The GPMC will do.
     

    Does it mean from above that WMI filter will not shown in APGM after deploying? I do several group policies with WMI filter shown in AGPM controlled console.

    Thank you!

    Friday, March 25, 2016 3:19 PM
  • Hi,
     
    Am 25.03.2016 um 16:19 schrieb John JY:
    > Does it mean from above that WMI filter will not shown in APGM after
    > deploying?
     
    It means WMI Filter on that specific GPO stays like it is set by native
    GPMC, no matter if AGPM Client is installed or not.
     
    - if there was a filter, it is still there, the data is untouched
    - if the link is removed in GPMC, AGPM does not restore it, when
    deploying GPO again
     
    In my tests, WMI was completly untouched by AGPM. Within Change Control
    of AGPM, you only get information about WMI, when creating a report.
     
    Control GPOs -> AGPM Change Control
    Control WMI  -> native GPMC
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by John JY Friday, March 25, 2016 6:33 PM
    Friday, March 25, 2016 3:59 PM