Group Policy WMI Filter – Laptop or Desktop Hardware

image_pdfimage_print

In a previous article about WMI filters for Group Policy, I identified simple filters to make sure that GPOs will only apply to machines running a specific operating system such as Windows 7. This is helpful for separating workstations based on OS, but one of the most commonly asked for filter is whether the client is running on laptop or desktop hardware.

Many admins (myself included) use group membership to manage GPO distribution by adding computers or users to an Active Directory group and then adding that group using the Advanced options in the Delegation tag inside the Group Policy Management Console (gpmc.msc).

GPO Deny

In this example I’ve used a policy named GPO_LogonScript and then created a Active Directory group named DENY_GPO_LogonScript. This is handy for testing things like logon scripts so that you ensure that a group of users or computers block the processing of certain policies. You can achieve the same thing by using different OUs specifically for testing, but this allows you to not disrupt the other regular configurations and policies.

For us to use this method for laptops, we would have to explicitly add the laptop computer objects into an Active Directory group and apply the Deny attribute to the Apply Group Policy setting. While that will work, it requires manual intervention and as most of us know, manual changes lead to missed changes.

WMI Filtering for Hardware

This is where we can use the magic of WMI filters to automate the task of identifying a workstation type based on WMI properties. For my sample, I have a filter named Windows 7 Desktop Only where I am filtering based on the Caption property of the Win32_OperatingSystem class to define Windows 7, and also by the FormFactor property of the Win32_PhysicalMemory class.

 

The FormFactor property tells us what type of memory module is installed in the hardware device. For SODIMM memory which is used for laptops the FormFactor value will be 12. So to isolate the hardware type as desktop you simply use this query:

Select * from Win32_PhysicalMemory WHERE (FormFactor != 12)

Or for laptop detection, you want the query to be set to equal 12:

Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)

Another method to detect hardware as laptop only is to look for the presence of a battery based on the BatteryStatus property of the Win32_Battery class.

By using the Win32_Battery class, we can search to see if there is a battery present. If the battery status is not equal to zero ( BatteryStatus <> 0 ) then you know that it is a laptop.

Select * from Win32_Battery WHERE (BatteryStatus <> 0)

On my laptop, I can run a GPRESULT /V and the filtered GPOs show up as Denied (WMI FIlter):

As always you will have to test these out and flavor taste according to your specific environment. You can also use these WMI filters inside SCCM, SMS, PowerShell and a variety of other management tools and scripts in order to report, manage and monitor on your environment.

Happy filtering!

 

DiscoPosse

People, Process, and Technology. Powered by Community!

You might also like

9 Comments

  • Matt Vogt (@mattvogt)
    April 5, 2012 at 7:28 am

    Great post, Eric.

    This WMI filter for GPO is quite the hot topic around AD administrators circles and considered the Holy Grail of filters. The memory formula ‘usually’ works, however, all modern Dell computers (laptops and desktops) report a memory form factor of 8, so it unfortunately doesn’t work form them.

    The Batter Status filters if you want to catch laptops, but unfortunately, it doesn’t help in identifying desktops (there’s no batter status field, so it doesn’t even return 0 or NULL).

    Cheers!
    Matt
    @mattvogt

    • DiscoPosse
      Eric
      April 5, 2012 at 8:07 am

      Thanks Matt!

      You are absolutely right about the limits of the 2 query types. It is a challenge to find the ideal because each can get different results. We could also blame Dell 😉

      I’ve got a hybrid of the two running. For Desktops I look for FormFactor and for laptops I look for battery. You would think that there would be a nice simple Laptop=1 field somewhere.

      Eric

  • Matt Vogt (@mattvogt)
    April 5, 2012 at 8:38 am

    Oh, I do blame Dell, or at least their main board/memory manufacturer choices 😉

    Wouldn’t that be great? My great hope is that client side targeting (ala GPPs) will eventually come to GPOs.

  • David Logan
    June 25, 2013 at 6:49 am

    Great Article – thanks for the tips. I’m searching for a way to set a GPO WMI filter to determine if the client is virtual or physical. There are a few GPOs that we want to alter accordingly. Are you aware of a way to structure a WMI filter to make this determination?

    • DiscoPosse
      Eric
      June 25, 2013 at 8:36 am

      Hi David,

      You can try reading the MAC address because each virtualization vendor has it’s own MAC range. This is for detecting VMware, but there are also other filters you can build for each virtualization platform (e.g. Citrix, Microsoft).

      SELECT * FROM Win32_NetworkAdapter WHERE MACAddress LIKE “00:05:69%” or MACAddress LIKE “00:0C:29%” or MACAddress LIKE “00:50:65%”

      It would be nice if they labeled the BIOS or had a custom tag we could always rely on, but this is a potential workaround for it.

      Thanks…Eric

      • David Logan
        June 25, 2013 at 8:57 am

        Eric,

        Thanks for your reply. I believe I may actually have something I can use. We use Citrix for virtualization and the W32_BIOS shows “Xen” as Manufacturer. We should be able to key off of this field to determine if a machine is virtual as oppose to physical. I’m working on the GPO and filter now to test this. If it doesn’t work, I’ll try your MAC address approach.

        Thanks,

        David

    • JComes
      December 17, 2015 at 7:39 am

      Here is an example of a GPO WMI filter to see if the target is physical or virtual: http://www.sysadmit.com/2015/12/gpo-aplicar-solo-a-vms.html

  • Rob
    February 11, 2016 at 5:59 pm

    Since we’re a DELL shop, I used the model identifier in Win32_ComputerSystem to target our desktops (also filters out virtuals that way):

    Select * From Win32_ComputerSystem Where Model LIKE “Optiplex%”

  • Ryan
    May 19, 2017 at 10:34 am

    Select * from Win32_ComputerSystem WHERE (PCSystemType != 2)

    ^ This matches for “not laptop” with 100% reliability.

LEAVE A COMMENT

Proudly Sponsored By

GC On-Demand

Subscribe to the Blog

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Upcoming events:

no event

Archives