In a previous article about WMI filters for Group Policy, I identified simple filters to make sure that GPOs will only apply to machines running a specific operating system such as Windows 7. This is helpful for separating workstations based on OS, but one of the most commonly asked for filter is whether the client is running on laptop or desktop hardware.
Many admins (myself included) use group membership to manage GPO distribution by adding computers or users to an Active Directory group and then adding that group using the Advanced options in the Delegation tag inside the Group Policy Management Console (gpmc.msc).
In this example I’ve used a policy named GPO_LogonScript and then created a Active Directory group named DENY_GPO_LogonScript. This is handy for testing things like logon scripts so that you ensure that a group of users or computers block the processing of certain policies. You can achieve the same thing by using different OUs specifically for testing, but this allows you to not disrupt the other regular configurations and policies.
For us to use this method for laptops, we would have to explicitly add the laptop computer objects into an Active Directory group and apply the Deny attribute to the Apply Group Policy setting. While that will work, it requires manual intervention and as most of us know, manual changes lead to missed changes.
WMI Filtering for Hardware
This is where we can use the magic of WMI filters to automate the task of identifying a workstation type based on WMI properties. For my sample, I have a filter named Windows 7 Desktop Only where I am filtering based on the Caption property of the Win32_OperatingSystem class to define Windows 7, and also by the FormFactor property of the Win32_PhysicalMemory class.
The FormFactor property tells us what type of memory module is installed in the hardware device. For SODIMM memory which is used for laptops the FormFactor value will be 12. So to isolate the hardware type as desktop you simply use this query:
Select * from Win32_PhysicalMemory WHERE (FormFactor != 12)
Or for laptop detection, you want the query to be set to equal 12:
Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)
Another method to detect hardware as laptop only is to look for the presence of a battery based on the BatteryStatus property of the Win32_Battery class.
By using the Win32_Battery class, we can search to see if there is a battery present. If the battery status is not equal to zero ( BatteryStatus <> 0 ) then you know that it is a laptop.
Select * from Win32_Battery WHERE (BatteryStatus <> 0)
On my laptop, I can run a GPRESULT /V and the filtered GPOs show up as Denied (WMI FIlter):
As always you will have to test these out and flavor taste according to your specific environment. You can also use these WMI filters inside SCCM, SMS, PowerShell and a variety of other management tools and scripts in order to report, manage and monitor on your environment.
Happy filtering!
Great post, Eric.
This WMI filter for GPO is quite the hot topic around AD administrators circles and considered the Holy Grail of filters. The memory formula ‘usually’ works, however, all modern Dell computers (laptops and desktops) report a memory form factor of 8, so it unfortunately doesn’t work form them.
The Batter Status filters if you want to catch laptops, but unfortunately, it doesn’t help in identifying desktops (there’s no batter status field, so it doesn’t even return 0 or NULL).
Cheers!
Matt
@mattvogt
Thanks Matt!
You are absolutely right about the limits of the 2 query types. It is a challenge to find the ideal because each can get different results. We could also blame Dell 😉
I’ve got a hybrid of the two running. For Desktops I look for FormFactor and for laptops I look for battery. You would think that there would be a nice simple Laptop=1 field somewhere.
Eric
Oh, I do blame Dell, or at least their main board/memory manufacturer choices 😉
Wouldn’t that be great? My great hope is that client side targeting (ala GPPs) will eventually come to GPOs.
Great Article – thanks for the tips. I’m searching for a way to set a GPO WMI filter to determine if the client is virtual or physical. There are a few GPOs that we want to alter accordingly. Are you aware of a way to structure a WMI filter to make this determination?
Hi David,
You can try reading the MAC address because each virtualization vendor has it’s own MAC range. This is for detecting VMware, but there are also other filters you can build for each virtualization platform (e.g. Citrix, Microsoft).
SELECT * FROM Win32_NetworkAdapter WHERE MACAddress LIKE “00:05:69%” or MACAddress LIKE “00:0C:29%” or MACAddress LIKE “00:50:65%”
It would be nice if they labeled the BIOS or had a custom tag we could always rely on, but this is a potential workaround for it.
Thanks…Eric
Eric,
Thanks for your reply. I believe I may actually have something I can use. We use Citrix for virtualization and the W32_BIOS shows “Xen” as Manufacturer. We should be able to key off of this field to determine if a machine is virtual as oppose to physical. I’m working on the GPO and filter now to test this. If it doesn’t work, I’ll try your MAC address approach.
Thanks,
David
Here is an example of a GPO WMI filter to see if the target is physical or virtual: http://www.sysadmit.com/2015/12/gpo-aplicar-solo-a-vms.html
Since we’re a DELL shop, I used the model identifier in Win32_ComputerSystem to target our desktops (also filters out virtuals that way):
Select * From Win32_ComputerSystem Where Model LIKE “Optiplex%”
Select * from Win32_ComputerSystem WHERE (PCSystemType != 2)
^ This matches for “not laptop” with 100% reliability.
2 = Mobile. Desktops should return a 1.
About the battery detection. If the desktop has a UPS attached and it’s connected to it via the USB cord, Windows knows there’s a battery. Would this be picked up by your battery detection and, therefore, make it appear to be a laptop?
To answer my own question…
I tested this and it appears that it does know the difference between an installed battery and a UPS. Also, if using the battery option, is a WMI query really necessary? Battery Present is one of the options under Targeting in the Preference section of the Group Policy Editor.
I need to modify my previous reply. A computer running APC’s software was not detected as having a battery. But, another computer that has a UPS and controlling it through the built-in Windows power management did get detected as having a battery. So it appears that the battery option is problematic for detecting a laptop or other portable device.