How to make a WMI Filter?

WMI Query SignWMI Filters are nothing new, but, i believe are not used as widely as perhaps they could be, leading to complex OU structures in your domain just to get GPOs targeted to the right devices. A structured OU policy is fine of course, encouraged even, but there may be circumstances where targeting a GPO is not easy within a given structure, and you don’t want a GPO to apply to other devices that may share an OU. Anyway, none of that really matters here, what i wanted to write about was something that has bugged me since the first time i wanted to use WMI filters. How do i make one?

its easy enough to search around the internet to find examples of pre made WMI filters, or even find one that fits your needs, however what always puzzled me, was the query language itself, and how do i work out if the filter is going to work, without setting up a test machine, or test policy linked to a test WMI filter.

I finally stumbled on the answer yesterday when trying to answer a question on how to target Multipoint Servers in a given OU structure. If you do a search online you will definitely hit on results about using the Windows Version number as a filter, something like this from the Directory Service team blog:

SELECT Version FROM Win32_OperatingSystem WHERE Version < “6”

The above WQL query returns true for any operating systems older than Vista (so Windows XP and Windows Server 2003).

SELECT Version FROM Win32_OperatingSystem WHERE Version LIKE “6.0%”

The above WQL query returns true for only Windows Vista or Windows Server 2008 operating systems.

SELECT Version FROM Win32_OperatingSystem WHERE Version = “5.1.2600”

The above WQL query returns true only if the operating system is Windows XP Service Pack 2.

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE “6.0.%” AND ProductType <> “1”

Which is fine, but it doesn’t fit my needs because Multipoint 2011, shares a common version number with other versions of Server 2008 R2, as does SBS 2011, or Multipoint 2012 with Server 2012.

Having done a fair bit of work with PowerShell over the last two years, i know that there is a value inside WMI named ‘Caption’ which is part of Win32_OperatingSystem. A quick PowerShell command can reveal my OS Caption.

OS Caption

Herein lies my problem. Sure, i know how to reveal this value in PowerShell. but how do i do it in a way that a WMI Filter will apply to the right devices. In other words, how do i write a WMI Query?

Being lazy, i like to copy other peoples work and tweak it for my own purposes. Given that the above code will find me a machine with a version like 6.0 i tried this,

SELECT * FROM Win32_OperatingSystem WHERE Caption LIKE “Microsoft Windows MultiPoint Server 2011*”

Which did not work.

WMI Query


So, then i tried to be more specific.

SELECT * FROM Win32_OperatingSystem WHERE Caption =“Microsoft Windows MultiPoint Server 2011”

Which did not work either, and to be honest, left me more than a little confused.

Every other time i did WMI work i hit this question..

“..there must be a better way to build these filters..”

With this result,

“.. oh well i’ve done it now..”

So this time i decided i really should work on finding a way to do it.

Enter, WBEMTest which is an amazing little utility built into Windows. If you load it up on a machine that you want to target you can run queries against the local machine to find exactly the right value that you need for your filter.

Simply click start, and type in WBEMTest.


I knew that the value i wanted was part of Win32_OperatingSystem

(although at this point i was wondering whether CAPTION was indeed part of this class at all!)

Inside WBEMTest, we can connect to the relevant Namespace, which is root\cimv2.

WBEMTest RootCIMv2

Once we have done that, we can run a Query.

WBEMTest Query

I just want to find out what values are available as part of Win32_OperatingSystem at this point, so we can search for this:

select * from Win32_OperatingSystem

WBEMTest Query 2

Really simple query, and hopefully does not need any explanation. The result should be everything from Win32_OperatingSystem.

Once we apply the query, we will see if we get any results or not.

If we do, we can review those results by double clicking on the item shown.

WBEMTest Query Result

Scrolling down, i found that CAPTION did indeed exist, and what’s more it seemed to match what i had searched for, with one subtle difference.

WBEMTest Query Result 2

If you double click on the caption properties, you can see why my query failed.

WBEMTest Query Result 3

Oddly, the CAPTION for MultiPoint, seems to have a trailing “ “, so querying for  “Microsoft Windows MultiPoint Server 2011” would fail where “Microsoft Windows MultiPoint Server 2011 ” would have succeeded.

Annoying indeed, however you might then wonder why the query i used above using the filter LIKE did not succeed, i certainly was.

Well i decided to find out.

With my new favourite tool i tried out the query i entered above, which resulted in an error.

WBEMTest Query Result 4

What i had forgotten, and what was in plain site at the top of the page, is that * is not a wildcard in WMI like it is in PowerShell, rather you need to use a %.

So amending the query to correctly use a wildcard, i got the intended results. I now had a WMI filter i could use to target only Servers running Windows Multipoint.

WMI Query2

You can also see my GPO is now no longer denied by WMI, even though it is not actually applied to the computer as it is only an empty test GPO.

WMI GPO Success

Of course this process can be amended to find any value contained within WMI, which is essentially anything you could possibly want to know about any computer on your network.

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

3 Responses to How to make a WMI Filter?

  1. Akshay Joshi says:

    Hi Robert
    I have been working on WMI filters recently. I am using MS APIs to create those. I won’t be using MS Group Policy Management Console for WMI filters.
    I have a query regarding mswmi-parm2.
    It stores a WQL query along with some metadata. The numeric part 1;3;10;16(example), what does it mean?
    Any help would be appreciated.
    Thank you
    Akshay Joshi

Leave a reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: