1+ <#
2+ . SYNOPSIS
3+ Disables Windows services based on CIS Benchmarks Level 1 and Level 2 recommendations.
4+
5+ . DESCRIPTION
6+ This script automates the disabling of unnecessary or high-risk Windows services in compliance with the Center for Internet Security (CIS) Benchmarks. It supports both Level 1 and Level 2 controls, with the ability to enable or disable enforcement levels through configuration variables.
7+
8+ The script:
9+ - Reads a list of services with CIS references and levels.
10+ - Allows you to control which levels (L1, L2) are enforced using the `$LevelOne` and `$LevelTwo` flags.
11+ - Allows you to exclude specific services from being modified using the `$ExcludeList` array.
12+ - Performs safe checks to ensure a service exists before attempting to stop or disable it.
13+ - Handles special cases (like `Computer Browser`) using registry edits to avoid known issues with system drivers (`bowser`).
14+
15+ ### Configuration:
16+
17+ - `$LevelOne = $true`: Enables enforcement of CIS Level 1 service rules.
18+ - `$LevelTwo = $false`: Enables enforcement of CIS Level 2 service rules.
19+ - `$ExcludeList = @('Spooler', 'WinRM')`: Specify service names (case-sensitive) to skip during execution.
20+
21+ . NOTES
22+ Author: MadCrabCyder | https://github.com/MadCrabCyder
23+ Version: v2.1
24+ Release Date: 2025-08-01
25+
26+ Intune Info:
27+ Script type - Platform Script
28+ Assign to - Devices
29+ Script Settings:
30+ Run this script using the logged on credentials - No
31+ Enforce script signature check - No
32+ Run script in 64-bit PowerShell Host - Yes
33+ #>
34+
35+ # ### Configuration Variables ####
36+
37+ $Script :LevelOne = $true # Toggle Level 1 enforcement
38+ $Script :LevelTwo = $false # Toggle Level 2 enforcement
39+
40+ # List of services to exclude from modification (case-sensitive)
41+ $Script :ExcludeList = @ (
42+ ' ExampleService' # Skip disabling ExampleService
43+ )
44+
45+
46+ # ### Logging Variables ####
47+ $Script :ScriptName = " OIB-DisableServices"
48+ $Script :LogFile = " $ScriptName .log"
49+ $Script :LogsFolder = " $env: ProgramData \Microsoft\IntuneManagementExtension\Logs"
50+
51+
52+ # ### Script Variables ####
53+ $ErrorActionPreference = [System.Management.Automation.ActionPreference ]::SilentlyContinue
54+ $Host.UI.RawUI.WindowTitle = ' $ScriptName'
55+
56+
57+ # ### Functions ####
58+ function Start-Logging {
59+ Start-Transcript - Path $LogsFolder \$LogFile - Append
60+ Write-Host " Current script timestamp: $ ( Get-Date -f yyyy- MM- dd_HH- mm) "
61+ }
62+
63+ function Stop-Logging {
64+ Write-Host " Script complete timestamp: $ ( Get-Date -f yyyy- MM- dd_HH- mm) "
65+ Stop-Transcript
66+ }
67+
68+
69+ # ### Script ####
70+ Start-Logging
71+
72+ # ######################################################
73+ # CIS 81.3 (L1) - 'Computer Browser' is deprecated and not present on Windows 10 1709+.
74+ # Using Set/Get-Service may incorrectly target the 'bowser' driver (also named 'Browser').
75+ # We disable it safely via registry to avoid impacting critical networking components.
76+ $Path = " HKLM:\SYSTEM\CurrentControlSet\Services\Browser"
77+ if ($ExcludeList -notcontains ' Browser' -and $LevelOne -and (Test-Path - LiteralPath $Path )) {
78+ Set-ItemProperty - LiteralPath $Path - Name ' Start' - Value 4 - Verbose
79+ Write-Host " 'CIS 81.3 (L1) Computer Browser (Browser)' is set to 'Disabled'"
80+ }
81+
82+ # Services to Disable
83+ @"
84+ Name Level CISReference
85+ BTAGService L2 CIS 81.1 (L2) Bluetooth Audio Gateway Service
86+ bthserv L2 CIS 81.2 (L2) Bluetooth Support Service
87+ MapsBroker L2 CIS 81.4 (L2) Downloaded Maps Manager
88+ GameInputSvc L2 CIS 81.5 (L2) GameInput Service
89+ lfsvc L2 CIS 81.6 (L2) Geolocation Service
90+ IISADMIN L1 CIS 81.7 (L1) IIS Admin Service
91+ irmon L1 CIS 81.8 (L1) Infrared monitor service
92+ lltdsvc L2 CIS 81.9 (L2) Link-Layer Topology Discovery Mapper
93+ LxssManager L1 CIS 81.10 (L1) LxssManager
94+ FTPSVC L1 CIS 81.11 (L1) Microsoft FTP Service
95+ MSiSCSI L2 CIS 81.12 (L2) Microsoft iSCSI Initiator Service
96+ sshd L1 CIS 81.13 (L1) OpenSSH SSH Server
97+ Spooler L2 CIS 81.14 (L2) Print Spooler
98+ wercplsupport L2 CIS 81.15 (L2) Problem Reports and Solutions Control Panel Support
99+ RasAuto L2 CIS 81.16 (L2) Remote Access Auto Connection Manager
100+ SessionEnv L2 CIS 81.17 (L2) Remote Desktop Configuration
101+ TermService L2 CIS 81.18 (L2) Remote Desktop Services
102+ UmRdpService L2 CIS 81.19 (L2) Remote Desktop Services UserMode Port Redirector
103+ RpcLocator L1 CIS 81.20 (L1) Remote Procedure Call (RPC) Locator
104+ RemoteRegistry L2 CIS 81.21 (L2) Remote Registry
105+ RemoteAccess L1 CIS 81.22 (L1) Routing and Remote Access
106+ LanmanServer L2 CIS 81.23 (L2) Server
107+ simptcp L1 CIS 81.24 (L1) Simple TCP/IP Services
108+ SNMP L2 CIS 81.25 (L2) SNMP Service
109+ sacsvr L1 CIS 81.26 (L1) Special Administration Console Helper
110+ SSDPSRV L1 CIS 81.27 (L1) SSDP Discovery
111+ upnphost L1 CIS 81.28 (L1) UPnP Device Host
112+ WMSvc L1 CIS 81.29 (L1) Web Management Service
113+ WerSvc L2 CIS 81.30 (L2) Windows Error Reporting Service
114+ Wecsvc L2 CIS 81.31 (L2) Windows Event Collector
115+ WMPNetworkSvc L1 CIS 81.32 (L1) Windows Media Player Network Sharing Service
116+ icssvc L1 CIS 81.33 (L1) Windows Mobile Hotspot Service
117+ WpnService L2 CIS 81.34 (L2) Windows Push Notifications System Service
118+ PushToInstall L2 CIS 81.35 (L2) Windows PushToInstall Service
119+ WinRM L2 CIS 81.36 (L2) Windows Remote Management (WS-Management)
120+ WinHttpAutoProxySvc L2 CIS 81.37 (L2) WinHTTP Web Proxy Auto-Discovery Service
121+ W3SVC L1 CIS 81.38 (L1) World Wide Web Publishing Service
122+ XboxGipSvc L1 CIS 81.39 (L1) Xbox Accessory Management Service
123+ XblAuthManager L1 CIS 81.40 (L1) Xbox Live Auth Manager
124+ XblGameSave L1 CIS 81.41 (L1) Xbox Live Game Save
125+ XboxNetApiSvc L1 CIS 81.42 (L1) Xbox Live Networking Service
126+ "@ | ConvertFrom-Csv - Delimiter " `t " | ForEach-Object {
127+
128+ $ServiceName = $_.Name
129+ $ServiceLevel = $_.Level
130+ $CISReference = $_.CISReference
131+ $svc = $null
132+
133+ if (
134+ $ExcludeList -notcontains $ServiceName -and
135+ (
136+ ($ServiceLevel -eq ' L1' -and $LevelOne ) -or
137+ ($ServiceLevel -eq ' L2' -and $LevelTwo )
138+ )
139+ ) {
140+
141+ # Check to see if the service exists
142+ try {
143+ $svc = Get-Service - Name $ServiceName - ErrorAction Stop
144+ } catch {
145+ Write-Host " '$CISReference ($ServiceName )' is 'Not Installed'"
146+ }
147+
148+ if ($null -ne $svc ) {
149+
150+ # Stop the service if it's not already stopped
151+ if ($svc.Status -ne ' Stopped'
152+ try {
153+ Stop-Service - Name $ServiceName - Force - ErrorAction Stop
154+ Write-Host " '$CISReference ($ServiceName )' is 'Stopped'"
155+ } catch {
156+ Write-Warning " Could not stop service '$ServiceName '. Reason: $ ( $_.Exception.Message ) "
157+ }
158+ }
159+
160+ # Set the service to Disabled
161+ try {
162+ Set-Service - Name $ServiceName - StartupType Disabled - ErrorAction Stop
163+ Write-Host " '$CISReference ($ServiceName )' is set to 'Disabled'"
164+ } catch {
165+ Write-Warning " Could not disable service '$ServiceName '. Reason: $ ( $_.Exception.Message ) "
166+ }
167+ }
168+ }
169+ }
170+
171+ Stop-Logging
172+ Exit 0 # Always return success as Errors are handled gracefully
0 commit comments