Bart's Weblog

Just a blog…

Archive for September, 2017

Quick post: GPO WMI filtering and performance

Posted by bartvdw on 2222/0909/2017

Got triggered recently about WMI filtering on GPO’s and performance impact. It is clear that the filter(s) needs to be processed, and that you shouldn’t use it by default, but killing the logon on a machine? That would mean “DO NOT USE” scenario… So here a summary about WMI filtering, but also a quick overview about the different controls you have to filter GPO’s. Extensive reading material is included at the bottom (references).

 

Quick recap which controls are available:

  • Organizational units (OUs)
    • Group user/computer objects in OUs
    • Link GPOs to OUs
  • Security
    • Change GPO security so that the GPO applies to specific groups
    • Required permissions: read + apply group policy
    • Works not only for users, but also for computer accounts
  • WMI filters
    • Specify a WMI query
    • The GPO is applied only if the query returns true
    • Applies to entire GPOs
  • Item-level targeting (ILT)
    • Specify targeting criteria
    • A setting is applied only if the criteria match
    • Applies to individual settings (in case of registry settings: can also apply to a collection of settings)
    • Available for Group Policy Preferences (GPPs) only, not for Policies

 

For WMI filtering there are some good tips:

  • Use when required (obviously)
  • Do NOT use Select *, but target your filter
  • Test performance with Measure-Command, and loop 1000x for more accurate results
  • Use SDM / GPOGuy WMIFTest utility to validate your filters against systems

 

Test method performance (my preferred option):

$q = ‘Select Version From Win32_OperatingSystem Where Version LIKE “10.0.%”‘

$a = for ($i = 1; $i -le 100; $i++) {

Measure-Command -Expression {

Get-WmiObject -Query $q

}

};

$a | Measure-Object TotalMilliseconds -Sum -Average -Maximum –Minimum

 

(Replace the query with your actual filter and test with targeted and Select *)

 

I ran the test on some machines using the Version attribute specific for the OS (so 10.%, and 6.3%).

 

Windows 10 on Surface Pro 4 results:

 

Test results on 2012 R2 server physical

 

Test results on 2012 R2 virtual

 

So results vary, but the difference between targeted filter versus * is clear. This also allows you to show the actual performance hit.

 

So WMI filtering isn’t all that bad, just use it wisely and when required; see if Item Level Targeting (ILT) is possible for example, or security filtering.

 

Comments welcome, as always!

References

How Group Policy Impacts Logon Performance #3: WMI Filters & ILT – https://helgeklein.com/blog/2016/01/how-group-policy-impacts-logon-performance-3-wmi-filters-ilt/

WMI filter queries and thoughts on performance – http://evilgpo.blogspot.be/2014/11/wmi-filter-queries-and-thoughts-on.html

Showdown – WMI Filter vs Item Level Targeting – http://evilgpo.blogspot.be/2014/11/showdown-wmi-filter-vs-item-level.html

Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences – https://blogs.technet.microsoft.com/grouppolicy/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences/

Group Policy and Logon Impact – https://blogs.technet.microsoft.com/grouppolicy/2013/05/23/group-policy-and-logon-impact/

WMI Filter Friday – https://blogs.technet.microsoft.com/grouppolicy/2010/03/19/wmi-filter-friday/

Digging Into Group Policy WMI Filters and Managing them through PowerShell – https://sdmsoftware.com/group-policy-blog/gpmc/digging-into-group-policy-wmi-filters-and-managing-them-through-powershell/

Group Policy WMI filters for Windows 7/8/8.1/10 – https://deploywindows.info/2016/11/03/group-policy-wmi-filters-for-windows-788-110/

Using Group Policy WMI filters? Computers booting slow? – https://deploywindows.info/2016/02/15/using-group-policy-wmi-filters-computers-booting-slow/

Creating WMI Filters and GPOs with PowerShell – https://www.darkoperator.com/blog/2012/3/23/creating-wmi-filters-and-gpos-with-powershell.html

Fun with WMI Filters in Group Policy – https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/

GPO Migration with PowerShell – Now including WMI filters – https://blogs.technet.microsoft.com/ashleymcglone/2014/08/11/gpo-migration-with-powershell-now-including-wmi-filters/

WMI Filter Validation Utility

https://sdmsoftware.com/gpoguy/free-tools/library/wmi-filter-validation-utility/

Advertisements

Posted in Active Directory, Group Policy, Windows, Windows Server 2012 | Leave a Comment »