August 19, 2011 3 Comments
In my last post i talked about the Windows 7 Pro Pack, how to install it and how to use the wizard to configure it.
I also touched on the way the W7PP is targeted just to computers running Windows 7.
I wanted to cover here a bit more detail on the WMI Filter itself, (which is very simple) and also how to extend the functionality of the W7PP to other client operating systems.
I did make a hilarious reference to Jeff Goldblum’s Jurassic Park character, saying just because we can, does it mean we should?
Well, i think in this case it does. We can extend Folder Redirection and management of Windows Update, Windows Firewall and Windows Defender to XP and Vista and we should. Folder redirection.. not so much.
Now, those of you who are seasoned SBS Admins, will either A already know this or B know this already.
With SBS it is best, not to stray to far from the wizard.
The wizard likes things done his own way, and tends to get grumpy when it doesn’t.
Here we have an example of a grumpy wizard.
We all know what damage a grumpy wizard can do. Lay waste to middle earth… but i digress.
So rather than do what a lot of people will do, which is de-select the WMI filter, we can just create new GPO’s that only apply to XP or Vista. This gives us more flexibility, it also doesn’t break the W7PP.
First, let’s take a look at the W7PP WMI Filter.
If you open up the Group Policy Management Console (From Administrative Tools) You will see a section for WMI Filters.
Expanding WMI Filters, you will see the filters you have defined. We only have one so far.
Above highlighted in blue is the WMI Query used to target machines running Windows 7.
You can see that the filter is made up of a namespace, and query.
The name space is based on CIMv2, which appears to be a standard, but i can’t tell you what the root part is for.
We know that root is the beginning, but apart from that I’m lost! If anyone can explain it to me feel free.
So let’s just say we are looking at the root of the CIMv2 (by the way CIM is Common Information Model) There are a lot of namespaces you can choose to Query and with that you can find out and filter based on a lot of different things.
For example there is a root\CIMv2\power namespace and a root\CIMv2\Hardware namespace.
More resources on WMI can be found here:
The query is used to pinpoint certain attributes a computer may or may not have.
So, to query for a computer running Windows 7, the query is:
select * from Win32_OperatingSystem where Version like “6.1%” and ProductType =”1”
The first portion is straight forward enough, targeting the potential OS Attributes of the PC.
select * from Win32_OperatingSystem
(this also applies to x64bit machines as well)
Next we choose to filter based on OS version and Product type.
where Version like “6.1%” and ProductType =”1”
OS Version is simply the version of Windows that is running, and product type denotes whether it is a Client OS (Windows XP Vista or 7) or a Server, and if it is a server, is it a Domain Controller or member server.
I’ll be honest and say i am no expert in WMI but, i wanted to cover a little overview on what it does and how it works. There is a really great post here which will explain things better than i can.
WMI Filters for XP and Vista
So we now know a little about WMI and how it works, now we can go ahead and build some WMI Filters to target Windows XP and Windows Vista.
From the WMI Filters tree item, right click and click New.
A window opens and you can name your new WMI Filter, and enter a description.
Now we can click on Add, to type in our Query.
select * from Win32_OperatingSystem where Version like “5.1" and ProductType = ”1”
Click on OK to close the WMI Query box, then choose Save to save your new filter.
We can repeat the process to create a filter for Windows Vista. This time the Version number is 6.0
Click Save and you will be returned back to the GPMC, WMI Filters section. You will see your two new WMI Filters shown in the details pane.
Creating GPO’s for Windows XP and Vista
Now to put these into action. We need to create new GPO’s (Group Policy Objects) to control settings on our computers. There a number of ways to do this, but, we will just go for the most straight forward.
Right Click your domain name, and click ‘Create and Link a GPO in this Domain and link it here…’
Enter a name for your GPO, you can ignore ‘starter GPO’ click OK.
You will see your new GPO appear.
If you click your new GPO, you will see it show up in the details pane. At the bottom on you can choose to link this to your WMI Filter using the drop down menu.
A message will pop up saying, are you sure? yes we are sure, we wouldn’t be doing it otherwise would we?
Now we can edit our GPO.
Right click the GPO and choose Edit. The Group Policy Management Editor opens.
Expand the tree through, Computer Configuration > Policies > Administrative Templates > Windows Components
Under Windows Components, scroll down to Windows Update. In the details pane, you will see all the policy settings available. Double click on the first setting.
The policy setting window opens, where you can configure each setting. Click ‘Next Setting’
You can use the ‘next setting’ button to scroll through the settings without closing the window and reopening it.
Scroll through until you get to ‘Enabling Windows Update Power Management..’ You’ll notice the highlighted text, Supported on: Windows Vista, this means this policy is only available on Windows Vista or newer computers, and older OS’s will ignore the setting.
Keep scrolling through and you will get to ‘Configure Automatic Updates’
Click ‘Enabled’ then under the options, use the drop down menu and select option 4. Auto Download and Schedule the install.
Click on OK to close the Settings window.
What we have just set will tell any Windows XP Clients to download updates anytime they are available but schedule the install for 3am every day of the week. You will need to manage the power options of your XP Computers to make sure they are on at that time. You can do this locally on the PC or you can use Group Policy Preferences, which i may cover in a future post. Or you can look at this.
Now, We want to look at settings for Windows Defender (remember Windows Defender is not install on Windows XP by default, these changes will not apply unless defender is installed)
In the tree pane, scroll up to find Windows Defender.
Double click on ‘Check for New Signatures before Scheduled Scans..’ And set this to Enabled.
Use the next setting button to go through to ‘Configure Microsoft SpyNet Reporting’ Click to enable the policy setting and use the drop down to set at Advanced. A description is available of the levels in the help section to the right.
So we have told Windows Defender to look for new definitions before a scan, and also to join Spynet with Advanced membership.
You can now close the settings window, and we will move on to Windows Firewall.
You will find the Windows Firewall settings under,
Computer Configuration > Administrative Templates > Network > Network Connections.
Select the Domain Profile folder, and in the details pane, double click the first option.
Scroll through to ‘Protect All network Connections’ and set to enabled.
We will now move to, Allow Inbound file and printer sharing exception’ Set this to enabled, then under options enter ‘localsubnet’
The localsubnet string tells windows firewall that anything matching the same subnet that client pc is on is allowed to pass through the firewall.
Move onto ‘Allow ICMP exceptions’ set to enabled and ‘Allow inbound echo request’ This will allow us to ping our computers.
Next we will allow the Remote Administration exception and the Remote Desktop Exception.
The Windows firewall settings we have set here will apply only when the computer is on the domain network. If you have mobile computers and you want to enable the firewall when they are out of the office, simply go to the Standard Profile folder, set the policy to Protect All Connections, and then define the exceptions you wish.
For Windows Vista computers we can set exactly the same settings as above except for the Windows Firewall which is configured differently.
You will find the Windows Firewall with Advanced Security under Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security
Right click Windows Firewall with Advanced Security and go to properties.
What will open up is the settings page where you define the firewall state for Domain, Public and Private networks.
On the domain tab, set the Firewall state to On. Set Inbound Connections Block (Default) this will block anything that is not defined in our exceptions, we will set those in a moment. Set outbound connections to Allow (Default)
You will probably want to set the options for Public and Private networks as well. These will apply when the Vista machine is not on the Domain network, so usually should be more restrictive.
You can learn more about these settings by clicking the ‘Learn more about these settings option’
Now we will create our exceptions. In the tree view move down to ‘Inbound Rules’
In the details pane right click and click New Rule. A wizard starts to build your new rule.
We want to use a predefined type of rule (exception). Select that and then from the drop down box choose File and Printer sharing. Click next.
You will be shown all the exceptions this predefined rule will add. Click next.
You will be asked what action to take when a connection matches this rule. We want to allow. Click finish.
You are taken back to the details pane and shown the new rules you have added.
You can now repeat this process and on the predefined rules page, select, Remote Administration, and then again, Remote Desktop.
You will finish up with a set of Inbound Rules like this..
We also must edit another firewall policy setting which you will find under,
Computer Configuration > Administrative Templates > Network > Network Connections > Domain Profile
The setting is ‘’Do not allow Exceptions’ We must make sure this is set to ‘Not Configured’ otherwise the exceptions we defined above will not take effect.
Having followed these steps you will have created 2 WMI filters, one to match Windows XP Clients, and one to match Windows Vista. You will also have added 2 new GPO’s to control Windows Update, Windows Defender and the Windows Firewall.