Group Policy WMI Filter – Laptop or Desktop Hardware

In a previous article about WMI filters for Group Policy, I identified simple filters to make sure that GPOs will only apply to machines running a specific operating system such as Windows 7. This is helpful for separating workstations based on OS, but one of the most commonly asked for filter is whether the client is running on laptop or desktop hardware.

Many admins (myself included) use group membership to manage GPO distribution by adding computers or users to an Active Directory group and then adding that group using the Advanced options in the Delegation tag inside the Group Policy Management Console (gpmc.msc).

GPO Deny

In this example I’ve used a policy named GPO_LogonScript and then created a Active Directory group named DENY_GPO_LogonScript. This is handy for testing things like logon scripts so that you ensure that a group of users or computers block the processing of certain policies. You can achieve the same thing by using different OUs specifically for testing, but this allows you to not disrupt the other regular configurations and policies.

For us to use this method for laptops, we would have to explicitly add the laptop computer objects into an Active Directory group and apply the Deny attribute to the Apply Group Policy setting. While that will work, it requires manual intervention and as most of us know, manual changes lead to missed changes.

WMI Filtering for Hardware

This is where we can use the magic of WMI filters to automate the task of identifying a workstation type based on WMI properties. For my sample, I have a filter named Windows 7 Desktop Only where I am filtering based on the Caption property of the Win32_OperatingSystem class to define Windows 7, and also by the FormFactor property of the Win32_PhysicalMemory class.

 

The FormFactor property tells us what type of memory module is installed in the hardware device. For SODIMM memory which is used for laptops the FormFactor value will be 12. So to isolate the hardware type as desktop you simply use this query:

Select * from Win32_PhysicalMemory WHERE (FormFactor != 12)

Or for laptop detection, you want the query to be set to equal 12:

Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)

Another method to detect hardware as laptop only is to look for the presence of a battery based on the BatteryStatus property of the Win32_Battery class.

By using the Win32_Battery class, we can search to see if there is a battery present. If the battery status is not equal to zero ( BatteryStatus <> 0 ) then you know that it is a laptop.

Select * from Win32_Battery WHERE (BatteryStatus <> 0)

On my laptop, I can run a GPRESULT /V and the filtered GPOs show up as Denied (WMI FIlter):

As always you will have to test these out and flavor taste according to your specific environment. You can also use these WMI filters inside SCCM, SMS, PowerShell and a variety of other management tools and scripts in order to report, manage and monitor on your environment.

Happy filtering!