Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience


[Primary authors: Dan Simon and Nir Ben Zvi]

The Windows operating system includes many system services that provide important functionality.  Different services have different default startup policies:  some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run.  These defaults were chosen carefully for each service to balance performance, functionality and security for typical customers.

However, some enterprise customers may prefer a more security-focused balance for their Windows PCs and servers—one that reduces their attack surface to the absolute minimum—and may therefore wish to fully disable all services that are not needed in their specific environments.  For those customers, Microsoft is providing the accompanying guidance regarding which services can safely be disabled for this purpose.

The guidance is for Windows Server 2016 with Desktop Experience (unless used as a desktop replacement for end users). Each service on the system is categorized as follows:

  • Should Disable: A security-focused enterprise will most likely prefer to disable this service and forgo its functionality (see additional details below).
  • OK to Disable: This service provides functionality that is useful to some but not all enterprises, and security-focused enterprises that don’t use it can safely disable it.
  • Do Not Disable: Disabling this service will impact essential functionality or prevent specific roles/features from functioning correctly. It therefore should not be disabled.
  • (No guidance): These services should not be disabled.

Customers can configure their Windows PCs and servers to disable selected services using the Security Templates in their Group Policies or using PowerShell automation.  In some cases, the guidance includes specific Group Policy settings that disable the service’s functionality directly, as an alternative to disabling the service itself.

We recommend that customers disable the following services and their respective scheduled tasks on Windows Server 2016 with Desktop Experience:

Services:

  1. Xbox Live Auth Manager
  2. Xbox Live Game Save

Scheduled tasks:

  1. \Microsoft\XblGameSave\XblGameSaveTask
  2. \Microsoft\XblGameSave\XblGameSaveTaskLogon

See the attached spreadsheet for more information: Service-management-WS2016


Comments (6)

  1. Jason Fossen says:

    Beauty! Putting this into a template DSC configuration right now… Thanks! 🙂

    1. Harry Paul says:

      I wrote a GitHub gist to automate this with a DSC config. Hopefully it is useful for you as well!
      https://gist.github.com/hpaul-osi/8639b165019fb2d3bbff6cd3fcc93781

  2. Zoltan says:

    Great stuff, exactly what I needed.
    Anything similar for Server 2012 R2?
    Thank you.

  3. Hi,
    thanks for that explanation. In the attached Excel file not every Service has a Recommendation. Whats with that services? Any chance to get for those services a recommendation?

    1. Zoltan says:

      Peter, scroll right to the top. There it says:

      “(No guidance): These services should not be disabled.”

  4. Manouweb says:

    Hello,

    Thank you for this insightful list and recommendations.
    Nevertheless it seems some of the services your are recommending to disable (OK to disable) are protected against modification by Administrators (it requires manually modifying registry ACLs to switch the services to Disabled state) and it is not compliant with central disabling by GPOs because these services have an _ that is unique per machine at the end of their name (dynamically generated):

    CDPUserSvc
    OneSyncSvc
    PimIndexMaintenanceSvc
    UnistoreSvc
    UserDataSvc
    WpnUserService

    What is your recommendation for these, should they be disabled despite the security strengthening performed by Microsoft on these services and the difficulty to centrally disable them?

    Thank you for your insight.

    Kind regards

    [Aaron Margosis] I held off on publishing this question until we had our documentation on per-user services published. It’s finally published: https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows
Skip to main content