[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 842
  • Last Modified:

Group Policy +WMI Filter Causing LONG!!! Boot times

Started having workstations with a MAJOR lag in booting.   After seeing 6005/6006 Event IDs I applied a policy that enabled verbose GP Logging.  After gathering a good amount of logs from affected machines, I started using Policy Reporter to view these logs and it became clear the time lag in processing began on a certain policy.  Also saw that it happened when it got to the WMI filter.  We had the same thing about the same time on a totally different forest, but on a policy that also has a windows 7 WMI filter.  I removed it but we have other policies with WMI filters now the logs are showing them with these huge gaps in time after they start processing it... Based on the fact it is two separate forests with different policies etc. I am tending to thing there may have been a Windows update (or possibly another pushed out package) that is to blame- I have also seen some 5602 WMI event IDs and messages saying that it is restoring the WMI repository from a backup file.
MachineLog2.png
0
mcburn13
Asked:
mcburn13
  • 4
  • 4
1 Solution
 
footechCommented:
What is the WMI filter?  Some can take a long time.
0
 
mcburn13Author Commented:
We have had computers taking 30-120 minutes to get to the logon prompt.  Pretty basic filters the three initial ones in question were: select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1"
and select * from Win32_OperatingSystem WHERE ProductType = "1" AND OSArchitecture = "64-bit"
and select * from Win32_OperatingSystem WHERE ProductType = "1" AND NOT OSArchitecture = "64-bit"
0
 
footechCommented:
Yeah, I wouldn't expect those to take long at all, but I've heard of even simple ones causing issues.  You may even use something like
select ProductType, OSArchitecture from Win32_OperatingSystem WHERE ProductType = "1" AND OSArchitecture = "64-bit"

Are you saying the GPOs with the WMI filters have been in place for some time with no issue?  I haven't heard of any new issues with that, but I don't use WMI filters in my environment, so a problem related to that could have easily gone unnoticed by me.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
mcburn13Author Commented:
I have applied these hotfixes and seeing "some" success but not 100% convinced yet.
http://support.microsoft.com/kb/929852, http://support.microsoft.com/default.aspx?scid=kb%3ben-US%3b2545227, http://support.microsoft.com/kb/929852 (50409)

I have started unlinking the policies that have WMI filters or removing the filter where I can.  After that I started seeing the policy choke on "Processing Extensions" . Now I put a GPP in place that adds the registry entry for verbose GP logging- I'm wondering if that is the first thing I see it hitting under extensions and the fact that it is set to update instead of "create". I also set "stop processing extension if error occurs" and "only apply once".  I have since disabled this policy as I hope I have enough verbose logs to  sample from
ProcessingExtensions3.JPGAnother thought is possible windows updates that have applied- I am wondering if one of the list below broke something or some users haven't rebooted yet since they were applied (via SCCM)

Cumulative Security Update for Internet Explorer 10 for Windows 7 Service Pack 1 (KB2957689) MS14-035            
Cumulative Security Update for Internet Explorer 10 for Windows 7 Service Pack 1 for x64-based Systems (KB2957689)        
Cumulative Security Update for Internet Explorer 11 for Windows 7 (KB2929437)              MS14-01
Cumulative Security Update for Internet Explorer 11 for Windows 7 (KB2957689)              MS14-03
Cumulative Security Update for Internet Explorer 11 for Windows 7 (KB2963950)              MS14-035      
Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB2929437)   MS14-018
Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB2957689)     MS14-035  
Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB2963950)   MS14-035
Cumulative Security Update for Internet Explorer 7 for Windows XP (KB2936068)              MS14-018        
Cumulative Security Update for Internet Explorer 8 for Windows 7 (KB2957689) MS14-035        
Cumulative Security Update for Internet Explorer 8 for Windows 7 for x64-based Systems (KB2957689)  MS14-035                
Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2936068)        MS14-018            
Cumulative Security Update for Internet Explorer 9 for Windows 7 (KB2957689) MS14-035        
Cumulative Security Update for Internet Explorer 9 for Windows 7 for x64-based Systems (KB2957689)  MS14-035
0
 
footechCommented:
You may want to check out http://blogs.technet.com/b/grouppolicy/archive/2013/05/23/group-policy-and-logon-impact.aspx for some recommendations if you haven't seen it yet.
0
 
mcburn13Author Commented:
What looks like happened was a bloated bundle of updates from SCCM. It caused the Windows Update Service to balloon and one of our engineers discovered that  as soon as you kill that service the lag stopped and went right to the logon screen. This also must have what caused the WMI database to break on workstations- perhaps it was some contention between the WMI filter in Group Policy running in tandem with SCCM's calls to WMI... If I get the exact root cause I will post here.
0
 
footechCommented:
Wish I had more to offer here.  I have some vague recollection of a blog post that I think mentioned SCCM in conjunction with a large number of WMI queries and slowing things down.  But without recalling specifics that's so thin that it's probably not worth mentioning.  If I come up with anything more specific (and it's helpful) I'll post back.
0
 
mcburn13Author Commented:
no exact solution was found but it appeared to be a bundle of updates from SCCM with a bad one in there, apparently crashing the WMI database
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now