Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience

[Primary authors: Dan Simon and Nir Ben Zvi]

[Note that this guidance applies only to Windows Server 2016 with Desktop Experience. It does not need to be applied to Windows Server 2019.]

The Windows operating system includes many system services that provide important functionality.  Different services have different default startup policies:  some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run.  These defaults were chosen carefully for each service to balance performance, functionality and security for typical customers.

However, some enterprise customers may prefer a more security-focused balance for their Windows PCs and servers—one that reduces their attack surface to the absolute minimum—and may therefore wish to fully disable all services that are not needed in their specific environments.  For those customers, Microsoft is providing the accompanying guidance regarding which services can safely be disabled for this purpose.

The guidance is for Windows Server 2016 with Desktop Experience (unless used as a desktop replacement for end users). Each service on the system is categorized as follows:

  • Should Disable: A security-focused enterprise will most likely prefer to disable this service and forgo its functionality (see additional details below).
  • OK to Disable: This service provides functionality that is useful to some but not all enterprises, and security-focused enterprises that don’t use it can safely disable it.
  • Do Not Disable: Disabling this service will impact essential functionality or prevent specific roles/features from functioning correctly. It therefore should not be disabled.
  • (No guidance) : These services should not be disabled.

Customers can configure their Windows PCs and servers to disable selected services using the Security Templates in their Group Policies or using PowerShell automation.  In some cases, the guidance includes specific Group Policy settings that disable the service’s functionality directly, as an alternative to disabling the service itself.

We recommend that customers disable the following services and their respective scheduled tasks on Windows Server 2016 with Desktop Experience:

Services:

  1. Xbox Live Auth Manager
  2. Xbox Live Game Save

Scheduled tasks:

  1. \Microsoft\XblGameSave\XblGameSaveTask
  2. \Microsoft\XblGameSave\XblGameSaveTaskLogon

Download this spreadsheet for more information:   Service-management-WS2016.xlsx