Group Policy +WMI Filter Causing LONG!!! Boot times
Started having workstations with a MAJOR lag in booting. After seeing 6005/6006 Event IDs I applied a policy that enabled verbose GP Logging. After gathering a good amount of logs from affected machines, I started using Policy Reporter to view these logs and it became clear the time lag in processing began on a certain policy. Also saw that it happened when it got to the WMI filter. We had the same thing about the same time on a totally different forest, but on a policy that also has a windows 7 WMI filter. I removed it but we have other policies with WMI filters now the logs are showing them with these huge gaps in time after they start processing it... Based on the fact it is two separate forests with different policies etc. I am tending to thing there may have been a Windows update (or possibly another pushed out package) that is to blame- I have also seen some 5602 WMI event IDs and messages saying that it is restoring the WMI repository from a backup file.
footech
What is the WMI filter? Some can take a long time.
ASKER
We have had computers taking 30-120 minutes to get to the logon prompt. Pretty basic filters the three initial ones in question were: select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1"
and select * from Win32_OperatingSystem WHERE ProductType = "1" AND OSArchitecture = "64-bit"
and select * from Win32_OperatingSystem WHERE ProductType = "1" AND NOT OSArchitecture = "64-bit"
and select * from Win32_OperatingSystem WHERE ProductType = "1" AND OSArchitecture = "64-bit"
and select * from Win32_OperatingSystem WHERE ProductType = "1" AND NOT OSArchitecture = "64-bit"
Yeah, I wouldn't expect those to take long at all, but I've heard of even simple ones causing issues. You may even use something like
select ProductType, OSArchitecture from Win32_OperatingSystem WHERE ProductType = "1" AND OSArchitecture = "64-bit"
Are you saying the GPOs with the WMI filters have been in place for some time with no issue? I haven't heard of any new issues with that, but I don't use WMI filters in my environment, so a problem related to that could have easily gone unnoticed by me.
select ProductType, OSArchitecture from Win32_OperatingSystem WHERE ProductType = "1" AND OSArchitecture = "64-bit"
Are you saying the GPOs with the WMI filters have been in place for some time with no issue? I haven't heard of any new issues with that, but I don't use WMI filters in my environment, so a problem related to that could have easily gone unnoticed by me.
ASKER
I have applied these hotfixes and seeing "some" success but not 100% convinced yet.
http://support.microsoft.com/kb/929852, http://support.microsoft.com/default.aspx?scid=kb%3ben-US%3b2545227, http://support.microsoft.com/kb/929852 (50409)
I have started unlinking the policies that have WMI filters or removing the filter where I can. After that I started seeing the policy choke on "Processing Extensions" . Now I put a GPP in place that adds the registry entry for verbose GP logging- I'm wondering if that is the first thing I see it hitting under extensions and the fact that it is set to update instead of "create". I also set "stop processing extension if error occurs" and "only apply once". I have since disabled this policy as I hope I have enough verbose logs to sample from
Another thought is possible windows updates that have applied- I am wondering if one of the list below broke something or some users haven't rebooted yet since they were applied (via SCCM)
Cumulative Security Update for Internet Explorer 10 for Windows 7 Service Pack 1 (KB2957689) MS14-035
Cumulative Security Update for Internet Explorer 10 for Windows 7 Service Pack 1 for x64-based Systems (KB2957689)
Cumulative Security Update for Internet Explorer 11 for Windows 7 (KB2929437) MS14-01
Cumulative Security Update for Internet Explorer 11 for Windows 7 (KB2957689) MS14-03
Cumulative Security Update for Internet Explorer 11 for Windows 7 (KB2963950) MS14-035
Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB2929437) MS14-018
Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB2957689) MS14-035
Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB2963950) MS14-035
Cumulative Security Update for Internet Explorer 7 for Windows XP (KB2936068) MS14-018
Cumulative Security Update for Internet Explorer 8 for Windows 7 (KB2957689) MS14-035
Cumulative Security Update for Internet Explorer 8 for Windows 7 for x64-based Systems (KB2957689) MS14-035
Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2936068) MS14-018
Cumulative Security Update for Internet Explorer 9 for Windows 7 (KB2957689) MS14-035
Cumulative Security Update for Internet Explorer 9 for Windows 7 for x64-based Systems (KB2957689) MS14-035
http://support.microsoft.com/kb/929852, http://support.microsoft.com/default.aspx?scid=kb%3ben-US%3b2545227, http://support.microsoft.com/kb/929852 (50409)
I have started unlinking the policies that have WMI filters or removing the filter where I can. After that I started seeing the policy choke on "Processing Extensions" . Now I put a GPP in place that adds the registry entry for verbose GP logging- I'm wondering if that is the first thing I see it hitting under extensions and the fact that it is set to update instead of "create". I also set "stop processing extension if error occurs" and "only apply once". I have since disabled this policy as I hope I have enough verbose logs to sample from
Another thought is possible windows updates that have applied- I am wondering if one of the list below broke something or some users haven't rebooted yet since they were applied (via SCCM)Cumulative Security Update for Internet Explorer 10 for Windows 7 Service Pack 1 (KB2957689) MS14-035
Cumulative Security Update for Internet Explorer 10 for Windows 7 Service Pack 1 for x64-based Systems (KB2957689)
Cumulative Security Update for Internet Explorer 11 for Windows 7 (KB2929437) MS14-01
Cumulative Security Update for Internet Explorer 11 for Windows 7 (KB2957689) MS14-03
Cumulative Security Update for Internet Explorer 11 for Windows 7 (KB2963950) MS14-035
Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB2929437) MS14-018
Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB2957689) MS14-035
Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems (KB2963950) MS14-035
Cumulative Security Update for Internet Explorer 7 for Windows XP (KB2936068) MS14-018
Cumulative Security Update for Internet Explorer 8 for Windows 7 (KB2957689) MS14-035
Cumulative Security Update for Internet Explorer 8 for Windows 7 for x64-based Systems (KB2957689) MS14-035
Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2936068) MS14-018
Cumulative Security Update for Internet Explorer 9 for Windows 7 (KB2957689) MS14-035
Cumulative Security Update for Internet Explorer 9 for Windows 7 for x64-based Systems (KB2957689) MS14-035
You may want to check out http://blogs.technet.com/b/grouppolicy/archive/2013/05/23/group-policy-and-logon-impact.aspx for some recommendations if you haven't seen it yet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Wish I had more to offer here. I have some vague recollection of a blog post that I think mentioned SCCM in conjunction with a large number of WMI queries and slowing things down. But without recalling specifics that's so thin that it's probably not worth mentioning. If I come up with anything more specific (and it's helpful) I'll post back.
ASKER
no exact solution was found but it appeared to be a bundle of updates from SCCM with a bad one in there, apparently crashing the WMI database