Group policy WMI filter not applying to expected server

Question

Group policy WMI filter not applying to expected server

James Edmonds 771

Hi,

I have the below WMI filter to select just desktop class windows installs (Win 10, 11 etc.), and also any server that is a Terminal Server/Remote Desktop Server:

If I log into one of our RDSH servers and do a WMI query in powershell, I can find in the TerminalServices namespace, that the TerminalServerMode is set to 1. Therefore, I expect the WMI filter to apply.
Unfortunately, I can see the GPO using this filter is filtered out with a FALSE flag next to the WMI query.

I am wondering if anyone can explain why it would not be marked as true?
Is it because the queries are cumulative rather than "any"? i.e. is it looking for a desktop class OS that is also a terminal server?
If that's the case, is there a way I can modify my filter so it looks for either, rather than both?

Many thanks.
James

Daisy Zhou 13,021 Reputation points Microsoft Vendor

2022-06-30T05:41:30.88+00:00

Hello JamesEdmonds-7766,

I would like to know how things are going on your end? If you have any further question or concern about this case, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
James Edmonds 771 Reputation points

2022-07-01T08:16:09.333+00:00

Hi Daisy,

I have now created a separate GPO with the same settings as my original, applied the terminalserver WMI filter to it, and enabled loopback processing to capture user settings specifically for that machine.

The GPO side of things is working, now I have another issue with remote desktop services I am looking into that prevents the GPO settings from applying.

Thanks
James

Daisy Zhou 13,021 Reputation points Microsoft Vendor

2022-06-30T05:41:30.88+00:00

Hello JamesEdmonds-7766,

I would like to know how things are going on your end? If you have any further question or concern about this case, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
James Edmonds 771 Reputation points

2022-07-01T08:16:09.333+00:00

Hi Daisy,

I have now created a separate GPO with the same settings as my original, applied the terminalserver WMI filter to it, and enabled loopback processing to capture user settings specifically for that machine.

The GPO side of things is working, now I have another issue with remote desktop services I am looking into that prevents the GPO settings from applying.

Thanks
James

Answer 1

Daisy Zhou 13,021 Microsoft Vendor

Hello JamesEdmonds-7766,

Thank you for posting here.

From the following link, we can see if we want to use "WMI Filter" to filter "Windows Server Roles", it is
"root\CIMv2" instead of "root\CIMv2\TerminalServices".

WMI Filter
https://blog.andreas-schreiner.de/2016/09/09/wmi-filter/z

So if you want to filter Desktop OS and terminal servers to apply GPO, you can try:

root\CIMv2

SELECT * FROM Win32_OperatingSystem WHERE ProductType="1"

and

SELECT TerminalServerMode FROM Win32_TerminalServiceSetting WHERE TerminalServerMode = 1

For example:

Hope the information above is helpful.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

James Edmonds 771 Reputation points

2022-06-23T08:29:15.02+00:00

Hi Daisy,

That link does not redirect to a page with anything to do with WMI?

All guidance I have seen online, and even in testing the WMI in powershell, it seems to suggest what I was doing was correct:
https://focusedit.co.uk/54-group-policy-wmi-filter-for-remote-desktop-server/

My more important part of the query, is that when these two filters are used together, I think it means it is looking for a "Desktop OS" that is ALSO a "Terminal Server".
I need to know how the WMI filter should be constructed, so that it looks for EITHER a desktop OS or a terminal server.

Many thanks
James
Daisy Zhou 13,021 Reputation points Microsoft Vendor

2022-06-24T06:33:08.267+00:00

Hello JamesEdmonds-7766,

Thank you for your reply.

After my further research, I think you are right.

root\CIMv2\TerminalServices
SELECT TerminalServerMode FROM Win32_TerminalServiceSetting WHERE TerminalServerMode = 1

So let focus on the WMI filter issue.

Please confirm the following information:

1.Did you put desktop class windows installs (Win 10, 11 etc.) and Terminal Server/Remote Desktop Server and maybe other machines except Win 10, 11 etc and Terminal Server on one OU (it is a parent OU)?
2.Did you link one GPO with the WMI filter you mentioned to this OU?
3.If you link this WMI filter to this GPO, would you please check whether the GPO is applied to desktop OS or Terminal Server after you update GPO? Or this GPO only applied to one machine (that is desktop OS and also Terminal Server)?

For the third point, please check as below:
1.Logon on desktop OS or Terminal Server using administrator.
2.Open CMD (run as administrator).
3.Run gpresult /h C:\gpo.html and click Enter.
4.Open gpo.html and check if the GPO is applied to desktop OS or Terminal Server under "Computer Details".

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
James Edmonds 771 Reputation points

2022-06-24T16:21:42.2+00:00

Hi Daisy,

Our desktop class OS machines and remote desktop servers are in two distinct OUs/OU trees.
The GPO contains user and computer settings, so we have linked it to the root of the domain.
We apply the WMI filter for desktop class OS, so that the computer settings only apply to desktop computers. If I have both the operating system and temrinal server WMI filters added to the WMI filter, it then applies to NEITHER sets of computers. I think this is because the filters are cumulative, so it is looking for a machine that matches BOTH queries, rather than EITHER of the queries.

Many thanks
James
Daisy Zhou 13,021 Reputation points Microsoft Vendor

2022-06-27T07:21:41.88+00:00

Hello JamesEdmonds-7766,

Thank you for your reply.

Based on the description below, I think you are right.

If I have both the operating system and temrinal server WMI filters added to the WMI filter, it then applies to NEITHER sets of computers. I think this is because the filters are cumulative, so it is looking for a machine that matches BOTH queries, rather than EITHER of the queries.

Here are my suggestions for your references.

One:
Because your desktop class OS machines and remote desktop servers are in two distinct OUs/OU trees, you can create two GPOs (desktop class OS GPO AND remote desktop servers GPO), and create two WMI filters (WMI desktop class OS machines AND WMI remote desktop servers)

WMI desktop class OS machines links to desktop class OS GPO
And WMI remote desktop servers links to remote desktop servers GPO
Desktop class OS GPO AND remote desktop servers GPO may have the same GPO settings.
You can link desktop class OS GPO to desktop class OS OU and link remote desktop servers GPO to remote desktop servers OU.

Two:

Create security filtering as the first one suggestion.

Hope the information above is helpful.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
James Edmonds 771 Reputation points

2022-06-27T09:34:39.677+00:00

Thanks Daisy.

I was considering two separate GPOs with separate WMI filters already, I was just hoping there was a way to do it under one GPO with a single WMI filter.

Nevermind.

Thanks
James
Daisy Zhou 13,021 Reputation points Microsoft Vendor

2022-06-28T02:54:19.85+00:00

Hello JamesEdmonds-7766,

Thank you for your reply.

It seems to be not possible with a single WMI filter in your case.

Best Regards,
Daisy Zhou

Answer 2

James Edmonds 771

Not possible to do what I wanted originally, as WMI filters are cumulative.

I have duplicated my GPO, and put a separate WMI filter on each to achieve my goal.

Daisy Zhou 13,021 Reputation points Microsoft Vendor

2022-07-04T07:19:10.05+00:00

Hello JamesEdmonds-7766,

Thank you for your reply.

I am so glad that you duplicated the GPO and put a separate WMI filter on each to achieve your goal.

Best Regards,
Daisy Zhou

Group policy WMI filter not applying to expected server

2 answers

Activity