Do I need to update my server to support new policies? When do I need to separate policies?

I just blogged about this very question over on my blog. Essentially the question we hear a lot is do I need to update Schema/Active Directory/Servers/functional modes etc to support a new client OS version. I wont revisit that

Sometimes theres a need to separate policies for specific OS functions but not to "update" them. Which begs the question then....

When do I need to separate policies?

When Vista came along it introduced new functions that radically changed how some things were managed. Examples of this, though not exhaustively listed are:

1. Firewall


3. Wireless config

4. Auditing

In these instances you really need to separate out the policies as older settings that were designed for XP/2003 can have an unpredicatable effect on Vista/2008 and it can be difficult to diagnose the overlap in the application of settings. Think about IPSEC being applied to the client through both the older method of IPSEC policy and Vista's newer method!

The best practice here is to make sure you separate out your XP/2003 policies from your Vista ones. You can use WMI filters (assuming you have no Windows 2000 left in your network) or ACL's with groups (Read/Apply method) or even separating into different OU's.

Michael Kleef

Program Manager

Comments (4)
  1. Anonymous says:

    For aakash…

    I have been using the following two filters for XP and Vista for some time now, they work fine.

    Namespace for both filters: rootCIMv2

    XP: Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional"

    VISTA: select * from Win32_OperatingSystem where Caption like ‘%Vista%’


  2. Fred Mackie says:

    Don’t forget the excellent TechNet webcasts on

  3. aakash says:

    What is the most efficient WMI filter for the following groups of computers:

    1. Windows XP

    2. Windows Vista

    3. Windows XP and Windows Vista

    Hopefully it won’t be so difficult to create, what should be simple, WMI filters like this in future versions of Windows.


  4. aakash says:

    whitenoiz: Thanks for the info.  I currently use this for Vista:

    SELECT Version, ProductType FROM Win32_OperatingSystem WHERE Version >= ‘6’ AND Version < ‘7’ AND ProductType = ‘1’

    This is what I use for XP:

    Select * from WIN32_OperatingSystem where ServicePackMajorVersion>=2 and Version=’5.1.2600′

    I didn’t use the "like" operator because I heard that this can cause a performance issues.  I unfortunately don’t recall the source of this information.  But, perhaps someone from MS can confirm this.

Comments are closed.

Skip to main content