Partager via


Using WMI Filters to Disable Legal Notices on MED-V Workspaces

An issue that we have been seeing with MED-V in all versions is the issue of the use of the LegalNoticeCaption and LegalNoticeText values creating disconnects with the seamless user experience while running MED-V workspaces. While the legal notice is sufficient for logging on to the host, since the MED-V workspace is also running an underlying operating system, a logon is required for accessing the published applications running under Windows XP.

In our Best Practices guide (https://technet.microsoft.com/en-us/library/gg548491.aspx) we recommend to disable this through group policy. Customers, however, often ask, “What if I want to use the same OU for both the Windows 7 host and the Windows XP guest workspace?  How can I prevent a GPO containing the LegalNotice Caption and LegalNoticeText values from affecting the XP workspaces yet allow them to still affect the Windows 7 hosts?”

WMI Filter

The best way to do this is through a WMI filter. When you apply a WMI filter to a GPO, the GPO will only apply if the WMI filter (which is a WQL query) evaluates to TRUE. WMI filters are created and applied to a GPO using the Group Policy Management tool.

 

It is important to note that this will be best effective if the following conditions are true:

1.)    The policy regarding legal notices are applied at the OU level

2.)    The policies within the GPO for legal notice

Creating and Linking a WMI Filter to a GPO

To create and apply a WMI GPO filter, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. You will then use the GPMC to create a WMI filter that will query for a specified version of Windows. 

  1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management. 

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, expand your forest and domains until you get to your desired domain level. Then click WMI Filters.

  4. Click Action, and then click New.
     

  5. In the Name text box, type the name of the WMI filter. In this example, I have created one called “MED-V OS Filter.” 

     

  6. Click Add.

  7. Leave the Namespace value set to root\CIMv2. 

  8. In the Query text box, type:

    select * from Win32_OperatingSystem where Version like "6.%"

    This will return true for computers Windows Vista or Windows 7 but not Windows XP.

  9. Click Save to save your completed filter.

  10. After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs.

  11. In the navigation pane, find and then click the GPO that you want to modify. In this example, I have created a GPO WMI Filter called MED-V OS Filter and I am applying to the Default Domain Policy.

  12. Under WMI Filtering, select the correct WMI filter from the list.

  13. Click Yes to accept the filter.

 

You will need to fully restart both the MED-V host and Workspace for this to take effect if the workspace has already been deployed.

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Excellent point, Norm! I talk about this one a little bit on my personal blog: blogs.technet.com/.../how-an-enterprise-administrator-can-determine-med-v-2-0-fts-completion-and-provide-remediation-quickly.aspx

  • Anonymous
    October 10, 2011
    If there is a mix of XP and Windows 7 in the same OU; which may occur while Windows 7 migration is occurring; I would try (meaning test this and tell me if it works) using the following WMI query in order to make sure that the yet to be migrated XP machines are not excluded from receiving this important GPO. It is the same WMI Query that used to monitor the success of first-time-setup of the MED-V workspace Set the namespace to rootmicrosoftmedv Select * from FTS_Status where StatusCode != 0 This should be true for all non-MED-V XP machines;   Windows 7 and XP alike (and those MED-V workspaces that failed first-time-setup).