WMI Query GPMC WMI Filter

WMI Filters for Group Policy to manage Windows Server versions

This post contains some example WMI filters for you to use in Group Policy Objects (GPOs) to target and manage specific Windows Server versions like 2012R2, 2016 and Windows Server 2019.

Using the Windows Management Infrastructure, or WMI, Windows admins can create filters to apply GPOs more granular on specific versions of Windows Server. In this post I provide some basic examples.

If you use PowerShell 5.1, you can verify WMI filters with Get-WmiObject in the Win32_OperatingSystem class:

PS C:\> Get-WmiObject -Class Win32_OperatingSystem | Select Version, ProductType
PS C:\> Get-WmiObject -Class Win32_OperatingSystem | Select Version,Name,ProductType

Selecting Name, it’s easy to select Windows Server 2012 R2. It’s recommended to use a LIKE sub-selection

Select Name From Win32_OperatingSystem Where Name Like '%Windows Server 2012 R2%'

In a nutshell I’ll provide some easy to us WMI filter examples:

# Windows Server 2012 en 2016 by Name
Select Name From Win32_OperatingSystem Where Name like '%Windows Server 2012 R2%' Or Name Like '%Windows Server 2016%'
# Windows Server 2016 by Version
Select Version From Win32_OperatingSystem Where Version Like "10.0.14%"

Why did I use “Like “10.0.14%”“? Simply because Windows Server 2019’s version number also starts with 10.0. So by not adding .14 I’d also match Windows Server 2019:

# Windows Server 2016 en 2019 by Version
Select Version From Win32_OperatingSystem Where Version Like "10.0%"

And finally to only target Windows Server 2019:

# Windows Server 2019 by Version
Select Version From Win32_OperatingSystem Where Version Like "10.0.17%"

Want to match Windows Server 2022 in a GPO WMI Filter, so you can enable HTTP/3 in Windows Server 2022 only, use the following WQL (WMI Query):

# Windows Server 2022 by Version
SELECT Version FROM Win32_OperatingSystem WHERE Version LIKE "10.0.20%"

In PowerShell, this gives you

Get-CimInstance -Namespace root\cimv2 -Query "SELECT Version FROM Win32_OperatingSystem WHERE Version LIKE '10.0.20%'" | Select Version

Version
-------
10.0.20348

Match computer name in GPO WMI Filter

If you need to match a computer name in your GPO WMI Filter, you can use the following:

WMI Query match computer name in GPO WMI Filter
Select Name From Win32_ComputerSystem Where Name = "server name"

Using this, an GPO is only applied if the computer -or server- name matches. Otherwise it is filtered out.

Not Like WMI Query

If you want to filter out one or two specific hosts, you can negate your query by using NOT LIKE in a WMI query. The syntax is very confusing and not intuitive. Here is how to do a WMI query for items that are NOT what you want:

Get-CimInstance -Namespace root\cimv2 -Query "SELECT Name FROM Win32_ComputerSystem WHERE NOT (Name LIKE 'host-a%') and NOT (Name like 'host-b%')" | Select-Object Name

Get-WmiObject deprecated in PowerShell 6.2 and up

Note: in PowerShell 6.2 and up, the WMI v1 cmdlets, like Get-WmiObject, are deprecated. See Breaking Changes for PowerShell 6.x. You now have to use CIM (aka WIM v2), like for example Get-CimInstance.

PS C:\> Get-CimInstance -Class Win32_OperatingSystem | Select Version, ProductType

Version    ProductType
-------    -----------
10.0.17763           3

WMI Filters conclusion

Using WMI filters like these in Group Policy Management Console, you can fine-tune your GPO targetting. It is a powerful tool in your automation. If needed, you can even query the hardware manufacturer in your script:

(Get-CimInstance -ClassName Win32_ComputerSystem).Manufacturer

2 thoughts on “WMI Filters for Group Policy to manage Windows Server versions”

  1. Pingback: Jan Reilink

  2. .toolbelt-social-share{clear:both;font-size:1rem;display:grid;gap:calc(var(–toolbelt-spacing)/ 4);grid-template-columns:repeat(auto-fit,minmax(11rem,1fr));margin-bottom:calc(var(–toolbelt-spacing) * 2);margin-top:calc(var(–toolbelt-spacing) * 2)}.toolbelt-social-share .toolbelt_share-api{display:none}.toolbelt-social-share a{padding:calc(var(–toolbelt-spacing)/ 4) var(–toolbelt-spacing);color:var(–toolbelt-color-light);align-items:center;display:flex;text-decoration:none}.toolbelt-social-share a:hover{color:var(–toolbelt-color-light)}.toolbelt-social-share a:hover span{text-decoration:underline}.toolbelt-social-share-api-enabled .toolbelt-social-share .toolbelt_share-api{display:inline}.toolbelt-social-share-api-enabled .toolbelt-social-share a{display:none}.toolbelt-social-share svg{-webkit-margin-end:calc(var(–toolbelt-spacing)/ 2);margin-inline-end:calc(var(–toolbelt-spacing)/ 2);height:1.5rem;width:1.5rem;vertical-align:middle}.toolbelt-social-share svg *{stroke:none;fill:currentColor}@media (min-width:500px){.toolbelt-social-share .toolbelt_whatsapp{display:none}}
    Windows Server 2016 was finally released last week, meaning we can finally lift the idiotic 260 characters limitation for NTFS paths. In this post I’ll show you how to configure the Enable Win32 long paths setting for the NTFS file system, through Group Policy (a GPO). Also for Windows Server 2019.

    (adsbygoogle = window.adsbygoogle || []).push({});

    Note: this also applies to Windows Server 2022 and Windows Server 2019.

    Maximum Path Length Limitation (MAX_PATH) in Windows Server

    Microsoft writes about the Maximum Path Length Limitation on MSDN, and they write:

    Maximum Path Length LimitationIn the Windows API (with some exceptions discussed in the following paragraphs), the maximum length for a path is MAX_PATH, which is defined as 260 characters. A local path is structured in the following order: drive letter, colon, backslash, name components separated by backslashes, and a terminating null character. For example, the maximum path on drive D is “D:some 256-character path string<NUL>” where “<NUL>” represents the invisible terminating null character for the current system codepage. (The characters < > are used here for visual clarity and cannot be part of a valid path string.)Microsoft Developer Network: Naming Files, Paths, and Namespaces

    In the past, this 260 characters limitation caused errors and discomfort. Especially in the web hosting branche where you sometimes have to be able to save long file names. This resulted in (too) long paths and thus errors.

    For example, have a look at this WordPress #36776 Theme update error Trac ticket. Which was a duplicate of #33053 download_url() includes query string in temporary filenames.

    Fortunately, this limitation can now be unset and removed. Per default the limitation still exists though, so we need to set up a Local Group Policy. Or a Group Policy (GPO) in my case, since my server is in an Active Directory domain network.

    In this post you’ll learn how to set up a GPO to enable NTFS long paths in Windows Server 2016 and Windows Server 2022/2019 using the LongPathsEnabled registry value.

    Note: enabling “Long Paths” doesn’t magically remove the 260 character limit, it enables longer paths in certain situations. Adam Fowler has a bit more information about this is. Or are you wondering how to increase the configured maxUrlLength value in Windows Server & IIS? This’ll fix an IIS error The length of the URL for this request exceeds the configured maxUrlLength value.

    But first things first.

    You need to be able to set up this GPO using administrative templates (.admx) for Windows Server 2016. Because, in my situation, my Active Directory server is Windows Server 2012 R2 and doesn’t provide GPO settings for 2016.

    Download Administrative Templates (.admx) for Windows 10 and Windows Server 2016 and 2019

    If you are, as me, on Windows Server 2012 R2, you need administrative templates (.admx files) for Windows Server 2016 to configure 2016 specific Group Policy Objects. Same goes for Server 2019.

    These few steps help you setting them up in your environment.

    Download and install administrative templates for Windows Server 2016 and 2019 in your Windows Server 2012 R2 Active Directory

    Folow these steps:

    Download Windows 10 and Windows Server 2016 specific administrative templates – or .admx files.Install the downloaded .msi file Windows 10 and Windows Server 2016 ADMX.msi on a supported system: Windows 10 , Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2. You also need user rights to run the Group Policy Management Editor (gpme.msc), or the Group Policy Object Editor (gpedit.msc). But that’s for later use.The administrative templates are installed in C:Program Files (x86)Microsoft Group PolicyWindows 10 and Windows Server 2016, or whatever directory you provided during the installation. Copy over the entire folder PolicyDefinitions to your Primary Domain Controller’s SYSVOLdomainPolicies directory.Verify you’ve copied the folder, and not just the files. The full path is: SYSVOLdomainPoliciesPolicyDefinitions. This is explained in Microsoft’s Technet article Managing Group Policy ADMX Files Step-by-Step Guide.

    That’s it, you now have Group Policy Objects available for Windows Server 2016. Let’s enable Win32 long paths support now.

    Configure Enable Win32 long paths Group Policy

    Protip: learn how to set up WMI filters for Group Policy.

    Now that you have your Windows Server 2016 Group Policy Objects available, it’s time to setup a GPO to enable NTFS long path support. Create the GPO in your preferred location, but be sure to target it on Windows Server 2016 only.

    Please note that the GPO is called Enable Win32 long paths, not NTFS.

    Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process.

    Start your Group Policy Management console and click through to the location where you want to add the GPO. Create a new GPO: Create a GPO in this domain, and Link it here..., and provide your GPO with a relevant name.

    In the Settings tab, right click and choose Edit…. Now under Computer Configuration in the Group Policy Management Editor, click through to Policies > Administrative Templates > System > Filesystem. Configure and enable the Setting Enable Win32 long paths.

    Configures “Enable Win32 long paths” GPO

    GPO Enable Win32 long paths Settings overview

    This is all you have to do to create the Group Policy for long Win32 paths. All that is left is to run gpupdate in an elevated cmd.exe command prompt.

    Verify LongPathsEnabled registry value

    If needed, you can use the following cmd.exe or PowerShell commands to verify the LongPathsEnabled registry value is set correctly:

    .wp-block-code {
    border: 0;
    padding: 0;
    }

    .wp-block-code > div {
    overflow: auto;
    }

    .shcb-language {
    border: 0;
    clip: rect(1px, 1px, 1px, 1px);
    -webkit-clip-path: inset(50%);
    clip-path: inset(50%);
    height: 1px;
    margin: -1px;
    overflow: hidden;
    padding: 0;
    position: absolute;
    width: 1px;
    word-wrap: normal;
    word-break: normal;
    }

    .hljs {
    box-sizing: border-box;
    }

    .hljs.shcb-code-table {
    display: table;
    width: 100%;
    }

    .hljs.shcb-code-table > .shcb-loc {
    color: inherit;
    display: table-row;
    width: 100%;
    }

    .hljs.shcb-code-table .shcb-loc > span {
    display: table-cell;
    }

    .wp-block-code code.hljs:not(.shcb-wrap-lines) {
    white-space: pre;
    }

    .wp-block-code code.hljs.shcb-wrap-lines {
    white-space: pre-wrap;
    }

    .hljs.shcb-line-numbers {
    border-spacing: 0;
    counter-reset: line;
    }

    .hljs.shcb-line-numbers > .shcb-loc {
    counter-increment: line;
    }

    .hljs.shcb-line-numbers .shcb-loc > span {
    padding-left: 0.75em;
    }

    .hljs.shcb-line-numbers .shcb-loc::before {
    border-right: 1px solid #ddd;
    content: counter(line);
    display: table-cell;
    padding: 0 0.75em;
    text-align: right;
    -webkit-user-select: none;
    -moz-user-select: none;
    -ms-user-select: none;
    user-select: none;
    white-space: nowrap;
    width: 1%;
    }
    C:>reg query HKLMSystemCurrentControlSetControlFileSystem /v LongPathsEnabled

    HKEY_LOCAL_MACHINESystemCurrentControlSetControlFileSystem
    LongPathsEnabled REG_DWORD 0x1
    Code language: PowerShell (powershell)

    PS C:> (Get-ItemProperty "HKLM:SystemCurrentControlSetControlFileSystem").LongPathsEnabled
    1
    Code language: PowerShell (powershell)

    Don’t forget about your Windows Server 2022 and Windows Server 2019 servers.
    Related PostsBasic Authentication module for Windows Server IIS 10Manually failover all databases in an SQL Server Database Mirroring configurationSetting up Monit monitoring in Windows Subsystem for Linux WSL11+ Tips to optimize Umbraco CMSShare this:Click to share on Twitter (Opens in new window)Click to share on Facebook (Opens in new window)Click to share on Pocket (Opens in new window)Click to share on LinkedIn (Opens in new window)Click to share on WhatsApp (Opens in new window)Click to share on Reddit (Opens in new window)Click to share on Tumblr (Opens in new window)Click to share on Pinterest (Opens in new window)Click to share on Telegram (Opens in new window)Click to share on Skype (Opens in new window)Click to email this to a friend (Opens in new window)Click to print (Opens in new window)var toolbelt_social_share_description = “Windows Server 2016 was finally released last week, meaning we can finally lift the idiotic 260 characters limitation for NTFS paths. In…”;Share Tweet this
    Share this
    Share this
    Save this
    Share this

Comments are closed.