In a previous article about WMI filters for Group Policy, I identified simple filters to make sure that GPOs will only apply to machines running a specific operating system such as Windows 7. This is helpful for separating workstations based on OS, but one of the most commonly asked for filter is whether the client is running on laptop or desktop hardware.
Many admins (myself included) use group membership to manage GPO distribution by adding computers or users to an Active Directory group and then adding that group using the Advanced options in the Delegation tag inside the Group Policy Management Console (gpmc.msc).
In this example I’ve used a policy named GPO_LogonScript and then created a Active Directory group named DENY_GPO_LogonScript. This is handy for testing things like logon scripts so that you ensure that a group of users or computers block the processing of certain policies. You can achieve the same thing by using different OUs specifically for testing, but this allows you to not disrupt the other regular configurations and policies.
For us to use this method for laptops, we would have to explicitly add the laptop computer objects into an Active Directory group and apply the Deny attribute to the Apply Group Policy setting. While that will work, it requires manual intervention and as most of us know, manual changes lead to missed changes.
WMI Filtering for Hardware
This is where we can use the magic of WMI filters to automate the task of identifying a workstation type based on WMI properties. For my sample, I have a filter named Windows 7 Desktop Only where I am filtering based on the Caption property of the Win32_OperatingSystem class to define Windows 7, and also by the FormFactor property of the Win32_PhysicalMemory class.
The FormFactor property tells us what type of memory module is installed in the hardware device. For SODIMM memory which is used for laptops the FormFactor value will be 12. So to isolate the hardware type as desktop you simply use this query:
Select * from Win32_PhysicalMemory WHERE (FormFactor != 12)
Or for laptop detection, you want the query to be set to equal 12:
Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)
Another method to detect hardware as laptop only is to look for the presence of a battery based on the BatteryStatus property of the Win32_Battery class.
By using the Win32_Battery class, we can search to see if there is a battery present. If the battery status is not equal to zero ( BatteryStatus <> 0 ) then you know that it is a laptop.
Select * from Win32_Battery WHERE (BatteryStatus <> 0)
On my laptop, I can run a GPRESULT /V and the filtered GPOs show up as Denied (WMI FIlter):
As always you will have to test these out and flavor taste according to your specific environment. You can also use these WMI filters inside SCCM, SMS, PowerShell and a variety of other management tools and scripts in order to report, manage and monitor on your environment.
Happy filtering!
Great post, Eric.
This WMI filter for GPO is quite the hot topic around AD administrators circles and considered the Holy Grail of filters. The memory formula ‘usually’ works, however, all modern Dell computers (laptops and desktops) report a memory form factor of 8, so it unfortunately doesn’t work form them.
The Batter Status filters if you want to catch laptops, but unfortunately, it doesn’t help in identifying desktops (there’s no batter status field, so it doesn’t even return 0 or NULL).
Cheers!
Matt
@mattvogt
Thanks Matt!
You are absolutely right about the limits of the 2 query types. It is a challenge to find the ideal because each can get different results. We could also blame Dell
I’ve got a hybrid of the two running. For Desktops I look for FormFactor and for laptops I look for battery. You would think that there would be a nice simple Laptop=1 field somewhere.
Eric
Oh, I do blame Dell, or at least their main board/memory manufacturer choices
Wouldn’t that be great? My great hope is that client side targeting (ala GPPs) will eventually come to GPOs.