Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience
[Primary authors: Dan Simon and Nir Ben Zvi]
[Note that this guidance applies only to Windows Server 2016 with Desktop Experience. It does not need to be applied to Windows Server 2019.]
The Windows operating system includes many system services that provide important functionality. Different services have different default startup policies: some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run. These defaults were chosen carefully for each service to balance performance, functionality and security for typical customers.
However, some enterprise customers may prefer a more security-focused balance for their Windows PCs and servers—one that reduces their attack surface to the absolute minimum—and may therefore wish to fully disable all services that are not needed in their specific environments. For those customers, Microsoft is providing the accompanying guidance regarding which services can safely be disabled for this purpose.
The guidance is for Windows Server 2016 with Desktop Experience (unless used as a desktop replacement for end users). Each service on the system is categorized as follows:
- Should Disable: A security-focused enterprise will most likely prefer to disable this service and forgo its functionality (see additional details below).
- OK to Disable: This service provides functionality that is useful to some but not all enterprises, and security-focused enterprises that don’t use it can safely disable it.
- Do Not Disable: Disabling this service will impact essential functionality or prevent specific roles/features from functioning correctly. It therefore should not be disabled.
- (No guidance) : These services should not be disabled.
Customers can configure their Windows PCs and servers to disable selected services using the Security Templates in their Group Policies or using PowerShell automation. In some cases, the guidance includes specific Group Policy settings that disable the service’s functionality directly, as an alternative to disabling the service itself.
We recommend that customers disable the following services and their respective scheduled tasks on Windows Server 2016 with Desktop Experience:
Services:
- Xbox Live Auth Manager
- Xbox Live Game Save
Scheduled tasks:
- \Microsoft\XblGameSave\XblGameSaveTask
- \Microsoft\XblGameSave\XblGameSaveTaskLogon
Download this spreadsheet for more information: Service-management-WS2016.xlsx
Comments
- Anonymous
May 30, 2017
Beauty! Putting this into a template DSC configuration right now... Thanks! :-)- Anonymous
June 10, 2017
I wrote a GitHub gist to automate this with a DSC config. Hopefully it is useful for you as well!https://gist.github.com/hpaul-osi/8639b165019fb2d3bbff6cd3fcc93781
- Anonymous
- Anonymous
July 19, 2017
Great stuff, exactly what I needed.Anything similar for Server 2012 R2?Thank you. - Anonymous
July 30, 2017
Hi,thanks for that explanation. In the attached Excel file not every Service has a Recommendation. Whats with that services? Any chance to get for those services a recommendation?- Anonymous
August 02, 2017
Peter, scroll right to the top. There it says:"(No guidance): These services should not be disabled."
- Anonymous
- Anonymous
August 07, 2017
Hello,Thank you for this insightful list and recommendations.Nevertheless it seems some of the services your are recommending to disable (OK to disable) are protected against modification by Administrators (it requires manually modifying registry ACLs to switch the services to Disabled state) and it is not compliant with central disabling by GPOs because these services have an _ that is unique per machine at the end of their name (dynamically generated):CDPUserSvcOneSyncSvcPimIndexMaintenanceSvcUnistoreSvcUserDataSvcWpnUserServiceWhat is your recommendation for these, should they be disabled despite the security strengthening performed by Microsoft on these services and the difficulty to centrally disable them?Thank you for your insight.Kind regards[Aaron Margosis] I held off on publishing this question until we had our documentation on per-user services published. It's finally published: https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows - Anonymous
September 26, 2017
How to disable the scheduled tasks "Microsoft\XblGameSave\XblGameSaveTask" and "Microsoft\XblGameSave\XblGameSaveTaskLogon" for multiple servers? I tried it with GPO / GPP but was not able to just disable both tasks.- Anonymous
November 08, 2017
Hi Frank,This is possible with GPP but you need to specify the path with a \ in front for this to work.It should look like:\Microsoft\XblGameSave\XblGameSaveTask\Microsoft\XblGameSave\XblGameSaveTaskLogonIn both cases I created the GPP settings to delete these scheduled tasks but only if the Tasks file for the specific task exists using item level targeting. The files for the scheduled tasks can be found here: %SystemRoot%\System32\Tasks\Microsoft\XblGameSave - Anonymous
November 10, 2017
Hi Frank, did you find a solution to this as I have the same question? Thanks Ben- Anonymous
February 22, 2018
The comment has been removed
- Anonymous
- Anonymous