none
WMI Filter for GPO

    Question

  • ok, so I think im new to wmi filtering, but understanding some of its potential. I think it can help me here!

    we recently eliminated the D: on all of our corporate computers and are in the midst of a switch to using c: for everything.  My problem is this,  I want to change all of our policies that set the default save location.  Im using GPO,  and my policy works perfectly. 

    However,  I can honestly say im clueless when looking to create a wmi filter for it.  My objective is simple,  at least I think so!
    Check to see if d: exists,  if it doesn't.  Execute the policy.  if d: exists,  skip this policy!

    Anyone able to assist?
    • Moved by Bill_Stewart Monday, June 6, 2016 5:22 PM Move to more appropriate forum
    Monday, June 6, 2016 5:08 PM

Answers

All replies

  • For GPO questions post in GP forum here: Group Policy

    Also search for blogs that discuss WMI filtering in a GPO.  There are quite a few..

    A filter that returns anything is "True" and one that returns nothing is "False".

    select * from Win32_Volume where Driveletter='D:'

    That's all.


    \_(ツ)_/

    Monday, June 6, 2016 5:20 PM
  • That's what I came up with.  minus the '' around d

    But I get an error and am unsure what namespace to use,  or how to use it for a gpo. 

    now that I can detect it,  I want to run the gpo if it doesn't find D.  that's the part that is throwing me
    Monday, June 6, 2016 6:32 PM
  • ns = root\CimV2

    Works fine for me:

    instance of MSFT_SomFilter
    {
    	Author = "Admin@TESTNET.local";
    	ChangeDate = "20160606184338.430000-000";
    	CreationDate = "20160606184227.337000-000";
    	Domain = "TESTNET.local";
    	ID = "{E6CD36F4-2939-417C-9CD1-EAFB45398F4C}";
    	Name = "Drive filter";
    	Rules = {
    instance of MSFT_Rule
    {
    	Query = "select * from Win32_Volume where DriveName = \"D:\"";
    	QueryLanguage = "WQL";
    	TargetNameSpace = "root\\CIMv2";
    }};
    };


    \_(ツ)_/


    • Edited by jrv Monday, June 6, 2016 6:45 PM
    Monday, June 6, 2016 6:45 PM
  • I guess im just confused how to tell the GPO what to do based on the query?

    I can get it to run and return in WMI Code Editor.
    and I have it linked to my gpo.

    whats the magic switch to say ok you checked for D,  it wasn't there run this.
    or it was there don't run the gpo?


    this is what I have for a WMI Filter
    :


    • Edited by Sniper6659 Monday, June 6, 2016 7:32 PM
    Monday, June 6, 2016 7:12 PM
  • It is automatic. If the result is non-null the GP will be applied.

    \_(ツ)_/

    Monday, June 6, 2016 7:36 PM
  • isn't my query backwards?  I want it to only apply if d is not there.  if d is present.  do not run this policy
    Monday, June 6, 2016 7:42 PM
  • isn't my query backwards?  I want it to only apply if d is not there.  if d is present.  do not run this policy

    Just negate the query.

    \_(ツ)_/

    Monday, June 6, 2016 7:46 PM
  • Unfortunately you cannot do a negative query in WMI.  You would have to use a script for that.

    Since we don't know what you are trying to do with your policy it is not possible to advise you on a way to do it.


    \_(ツ)_/

    Monday, June 6, 2016 7:51 PM
  • Well, the query I had (from the pic above) does not even seem to have an effect!

    The policy does not run regardless of the presence of the D drive with the wmi filter.

    I appreciate the advice,  but right not this is something I will have to pick up tomorrow.  perhaps a clear head will provide a quick result!
    Monday, June 6, 2016 7:53 PM
  • Here is an article that does a pretty good job of explaining how to deal with your predicament.  It might work for you: http://evilgpo.blogspot.com/2012/05/inverting-wmi-filters.html


    \_(ツ)_/

    Monday, June 6, 2016 7:53 PM
  • isn't my query backwards?  I want it to only apply if d is not there.  if d is present.  do not run this policy


    Just negate the query.

    \_(ツ)_/


    Not meant to be serious.  I was just venting my annoyance at this limitation of GP filtering.  Use GPP to trigger on the non existence of an item.

    \_(ツ)_/

    Monday, June 6, 2016 7:55 PM
  • not taken serious,  its frustrating!
    and an amusing way to end my day...

    in this world where simplification means the same as complication...

    all I want is a damn switch that says if this isn't here do this if it is,  don't touch a thing!
    Monday, June 6, 2016 8:12 PM
  • not taken serious,  its frustrating!
    and an amusing way to end my day...

    in this world where simplification means the same as complication...

    all I want is a damn switch that says if this isn't here do this if it is,  don't touch a thing!

    You have to use GPP for that.  Read the article.

    \_(ツ)_/

    Monday, June 6, 2016 8:31 PM
  • > now that I can detect it,  I want to run the gpo if it doesn't find D.
     
    Short answer: Impossible. Every computer is supposed to have a drive
    that is NOT called D, so a "<>" will always return true:
     
     
    Tuesday, June 7, 2016 2:58 PM
  • > Here is an article that does a pretty good job of explaining how to deal
    > with your predicament.  It might work for you:
     
    Saw this too late, jrv :-)
     
    Tuesday, June 7, 2016 2:59 PM
  • Martin,
    Thanks for the article.  JRV sent it as well.

    We have at moment about 80% of our computers have a drive Called D on them.  so that's where im not understanding why this does not return false?

    as it turns out one of the first times I have used WMI with GPO turns out to be a complicated scenario to learn with!

    Wednesday, June 8, 2016 12:08 PM
  • > them.  so that's where im not understanding why this does not return false?
     
    Select * from Drive where Letter != "D"
     
    will always return true because you have C...
     
    As long as you are filtering for a class that has more than one
    instance, you cannot negate a WMI query because it will filter out one
    instance only, but still find the others and return true.
     
     
    Wednesday, June 8, 2016 3:12 PM
  • ok I see your point.  this would be easier if I could item level target under:  User Config > Policies > Admin Templates
    Wednesday, June 8, 2016 5:06 PM
  • > ok I see your point.  this would be easier if I could item level target
    > under:  User Config > Policies > Admin Templates
     
    Depending on the setting you want to deploy, you can replace ADM
    templates with GPP Registry - the registry keys can be found either in
     
    Sample for that scenario:
     
    Thursday, June 9, 2016 8:06 AM