3.2.5.1.7 WMI Filter Evaluation
The client MUST process the GPO to evaluate the WMI filter as follows:
The client parses the gPCWQLFilter attribute in the GPO structure and extract the WMI filter ID and domain name of the WMI filter.
The client makes a WMI Filter Search as specified below with the WMI filter ID and domain name that was computed in step 1. If this step fails due to a failure that is returned from the LDAP messages, the WMI filter evaluation MUST be skipped, and the GPO MUST be assumed to be allowed.
An LDAP SearchRequest as specified in section 2.2.5 MUST be sent from the client to the Group Policy server, and the SearchResponse received MUST be verified to satisfy the specified requirements.
The WQL query filter that is retrieved in the LDAP msWMI-Parm2 attribute MUST be evaluated by locally invoking the IWbemServices::ExecQuery method (as specified in [MS-WMI] section 3.1.4.3.18) with the following parameters:
The value of the msWMI-Parm2 attribute for the strQuery parameter.
WBEM_FLAG_RETURN_IMMEDIATELY and WBEM_FLAG_FORWARD_ONLY for the lFlags parameter.
NULL for the pCtx parameter.
If the method call is successful, the client invokes the enumerator methods (specified in [MS-WMI] section 3.1.4.4) on the returned IEnumWbemClassObject object (in the ppEnum parameter) and ensure that there is at least one CIM object returned in the query result set.
If the WMI filter cannot be evaluated due to some local error on the client, policy application MUST be terminated and an event logged using an implementation-specific mechanism, as defined in section 3.2.5.1.
If the WMI query returns no results, the GPO is considered denied; otherwise, the GPO is considered allowed.