Posey's Tips & Tricks

Can Group Policy Settings Be Applied to Hyper-V VMs?

As Brien shows, here's where WMI filtering comes in handy.

As someone who writes a lot about Hyper-V, I tend to be asked a lot of Hyper-V-related questions. There are several that I get asked pretty often, such as, "Is Hyper-V free?" or "Is Hyper-V compatible with VMware?"

Every once in a while, though, someone asks me a question that I have to stop and think about. Such was the case when someone at the VMworld conference asked me if there is a way to apply group policy settings to Hyper-V virtual machines (VMs), while avoiding applying the policies to physical machines.

By far the easiest way to accomplish this goal is to place VMs into one OU and place physical machines in another. You can then define policy settings for the OU that contains the VMs. But what if there is an existing OU structure and changing it is not an option?

In this case, you will have to resort to using WMI filtering. The idea behind using WMI filtering is that at the PowerShell level, Windows is able to differentiate between a physical server and a Hyper-V VM. Let me show you what I mean.

You can use the Get-WMIObject cmdlet within PowerShell to determine a computer's model (at least, as Windows sees it). The command for doing so is:

Get-WMIObject Win32_ComputerSystem | Select-Object Model

Figure 1 shows what happens when you run this command on a physical machine.

[Click on image for larger view.] Figure 1: This is what happens when I retrieve the computer model on a physical server.

In this case, I end up with a generic message indicating that the model is to be filled in by the OEM. The reason why that message appears is because this is a computer that I built myself, as opposed to buying it from an OEM.

Now, let's take a look at what happens when I run the same command inside of a Hyper-V VM. You can see the results in Figure 2.

[Click on image for larger view.] Figure 2: PowerShell reports that Windows is running on a VM.

There are two important takeaways from this. First, Windows can distinguish between a physical and a VM. Second, this only works with Hyper-V. If you are using another hypervisor, you will likely see results that are somewhat different.

So because Windows lists the model type of Hyper-V VMs as "Virtual Machine," we can easily filter against that when applying a group policy.

Microsoft has a great article here that explains how to create a WMI filter that queries based on the Windows version. That way, group policy settings can be applied to a specific version of Windows. The filtering command that Microsoft provides in that article is:

Select * from Win32_OperatingSystem where Version like "6.%"

We can apply this same basic technique to filter based on whether a copy of Windows is running on a VM. The command used for doing so might look something like this:

Select * from Win32_ComputerSystem where Model = "Virtual  Machine"

It is worth noting that if you try to enter the command above directly into PowerShell, you will get an error. That's because this is a query, not really a full-blown PowerShell cmdlet. In fact, you will notice that it uses an equal sign rather than -EQ.

So now that you know what query to use, all you have to do is to add it to the Group Policy Object Editor. The previously mentioned article contains detailed instructions on how to do that. All you have to do is navigate through the console to Group Policy management | <your forest> | Domains | <your domain> | WMI Filters. Now, right-click on the WMI Filters container and select the New command from the resulting shortcut menu, as shown in Figure 3.

[Click on image for larger view.] Figure 3: Right-click on WMI Filters and select the New command from the shortcut menu.

When prompted, enter a name and a description for the filter that you are creating. Finally, click on the Add button and enter your query.

The last step in the process is to apply the filter to a group policy object. If you look at Figure 4, you can see that each GPO contains a drop-down list (shown at the bottom of the screen capture) that allows you to apply a WMI filter.

[Click on image for larger view.] Figure 4: You can apply a WMI filter to any GPO.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


comments powered by Disqus

Subscribe on YouTube