Windows Management Interface (WMI) Filtering for Group Policy Objects

During my recent work with a local law firm overhauling their network and designing a new Active Directory (AD) domain structure I have learned some tricks. One is WMI Filtering for applying an entire Group Policy Object (GPO).

Windows Management Interface (WMI) Filtering is a feature in the Group Policy Management Console (GPMC) on Windows Server operating systems that let you create conditional logic as to whether or not a GPO applies to a specific computer within it's assigned Operational Unit (OU). Here's an example filter taken from the Security Baseline for Windows 10 (Draft):

Internet Explorer 11.mof
instance of MSFT_SomFilter
{
Author = "Administrator@JST4KXS.local";
ChangeDate = "20131215210840.077000-000";
CreationDate = "20131031204931.789000-000";
Description = "Applies Internet Explorer 11 Settings";
Domain = "JST4KXS.local";
ID = "{F78EB5A2-B8C0-49FC-BB29-86DD2D3E0B15}";
Name = "Internet Explorer 11";
Rules = {
instance of MSFT_Rule
{
Query = "SELECT * FROM CIM_Datafile WHERE Name = 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' AND Version LIKE '11.%'";
QueryLanguage = "WQL";
TargetNameSpace = "root\\CIMv2";
}};
};

The first section, from Author to Name, can be mostly whatever you want if you plan on importing them into a new domain. The Name will appear in the drop-down menu at the bottom of settings screen for the GPO in the GPMC, and the description will appear if you go to the filter itself in the GPMC.

Below 'instance of MSFT_Rule' is a WMIC query. In this case it selects computers where internet explorer exists, and the Version of iexplorer.exe is like '11.%' It also specifies the query type, and the name space which is required for most WMIC queries.

When a workstation authenticates to AD and is going through the list of policies to apply, the Domain Controller (DC) will make a WMIC query to the workstation before deciding whether or not a GPO with this filter set should be applied. If the workstation returns TRUE ('Yes I have Internet Explorer 11 installed) then the GPO will apply.

Another WMI Filter that comes with the Security Baseline for Windows 10 (Draft) is this one:

Windows 10.mof
instance of MSFT_SomFilter
{
Author = "Administrator@JST4KXS.local";
ChangeDate = "20130627235040.542000-000";
CreationDate = "20130627233058.196000-000";
Description = "Applies Windows 10 Settings";
Domain = "JST4KXS.local";
ID = "{6EB48A2A-F3FF-462E-8A93-318A5466141E}";
Name = "Windows 10";
Rules = {
instance of MSFT_Rule
{
Query = "Select * from Win32_OperatingSystem WHERE Version LIKE \"10.0.%\" and ProductType = \"1\"";
QueryLanguage = "WQL";
TargetNameSpace = "root\\CIMv2";
}};
};

Again the part that matters here is the MSFT_Rule which selects computers where the Win32_OperatingSystem's Version property is like "10.0.%" and the ProductType property is "1\". If those two conditions are met then the GPO this filter is assigned to will apply the GPO.

My Thoughts

My first thought is that this would be useful for separating your GPOs by operating system version without having to create separate OUs for them. If your office runs multiple versions of Microsoft Office you may be able to use WMI filtering to only apply the correct GPO to the workstation because every version of Office whether it be 2010 or 2016 has two separate group policy templates: one for 64-bit and one for 32-bit. I plan on experimenting more with this feature in the future because it seems interesting.

Comments

Popular posts from this blog

InfosecN00bs, Part 1: Press Release

BlackHat/DEFCON, Part 1: Travel Advice

InfosecN00bs, Part 2: Fixing the Problem