1+ <#
2+ . SYNOPSIS
3+ Disables Windows services based on CIS Benchmarks Level 1 and Level 2 recommendations.
4+
5+ . DESCRIPTION
6+ This script automates the disabling of unnecessary or high-risk Windows services in compliance with the Center for Internet Security (CIS) Benchmarks. It supports both Level 1 and Level 2 controls, with the ability to enable or disable enforcement levels through configuration variables.
7+
8+ The script:
9+ - Reads a list of services with CIS references and levels.
10+ - Allows you to control which levels (L1, L2) are enforced using the `$LevelOne` and `$LevelTwo` flags.
11+ - Allows you to exclude specific services from being modified using the `$ExcludeList` array.
12+ - Performs safe checks to ensure a service exists before attempting to stop or disable it.
13+ - Handles special cases (like `Computer Browser`) using registry edits to avoid known issues with system drivers (`bowser`).
14+
15+ ### Configuration:
16+
17+ - `$LevelOne = $true`: Enables enforcement of CIS Level 1 service rules.
18+ - `$LevelTwo = $false`: Enables enforcement of CIS Level 2 service rules.
19+ - `$ExcludeList = @('Spooler', 'WinRM')`: Specify service names (case-sensitive) to skip during execution.
20+
21+ . NOTES
22+ Author: MadCrabCyder | https://github.com/MadCrabCyder
23+ Version: v2.1
24+ Release Date: 2025-08-01
25+
26+ Intune Info:
27+ Script type - Platform Script
28+ Assign to - Devices
29+ Script Settings:
30+ Run this script using the logged on credentials - No
31+ Enforce script signature check - No
32+ Run script in 64-bit PowerShell Host - Yes
33+ #>
34+
35+ # ### Configuration Variables ####
36+
37+ $LevelOne = $true # Toggle Level 1 enforcement
38+ $LevelTwo = $false # Toggle Level 2 enforcement
39+
40+ # List of services to exclude from modification (case-sensitive)
41+ $ExcludeList = @ (
42+ ' ExampleService' # Skip disabling ExampleService
43+ )
44+
45+ $ErrorCount = 0 # Initialise ErrorCount
46+
47+
48+ # ### Logging Variables ####
49+ $Script :ScriptName = " OIB-DisableServices"
50+ $Script :LogFile = " $ScriptName .log"
51+ $Script :LogsFolder = " $env: ProgramData \Microsoft\IntuneManagementExtension\Logs"
52+
53+
54+ # ### Script Variables ####
55+ $ErrorActionPreference = [System.Management.Automation.ActionPreference ]::Stop
56+ $Host.UI.RawUI.WindowTitle = ' $ScriptName'
57+
58+
59+ # ### Functions ####
60+ function Start-Logging {
61+ Start-Transcript - Path $LogsFolder \$LogFile - Append
62+ Write-Host " Current script timestamp: $ ( Get-Date -f yyyy- MM- dd_HH- mm) "
63+ }
64+
65+ function Stop-LoggingExit {
66+ param ( [int ]$ExitCode = 0 )
67+ Write-Host " Script complete timestamp: $ ( Get-Date -f yyyy- MM- dd_HH- mm) "
68+ Stop-Transcript
69+ Exit $ExitCode
70+ }
71+
72+ function Write-CISServiceStatus {
73+ param (
74+ [pscustomobject ]$Service ,
75+ [string ]$Status
76+ )
77+
78+ Write-Host " CIS $ ( $Service.CISRef.PadRight (5 )) ($ ( $Service.CISLevel ) ) '$ ( $Service.Description ) ($ ( $Service.Name ) )' is '$Status '"
79+ }
80+
81+ trap {
82+ Write-Host " TRAP: An unhandled error occurred:"
83+ if ($_ -is [System.Management.Automation.ErrorRecord ]) {
84+ Write-Host " Message : $ ( $_.Exception.Message ) "
85+ Write-Host " Script Line : $ ( $_.InvocationInfo.Line ) "
86+ Write-Host " StackTrace : $ ( $_.ScriptStackTrace ) "
87+ } else {
88+ Write-Host " Raw Error : $_ "
89+ }
90+ Stop-LoggingExit - ExitCode 1
91+ }
92+
93+ # ### Script ####
94+ Start-Logging
95+
96+ # ######################################################
97+ # CIS 81.3 (L1) - 'Computer Browser' is deprecated and not present on Windows 10 1709+.
98+ # Using Set/Get-Service may incorrectly target the 'bowser' driver (also named 'Browser').
99+ # We disable it safely via registry to avoid impacting critical networking components.
100+ $Path = " HKLM:\SYSTEM\CurrentControlSet\Services\Browser"
101+ if ($ExcludeList -notcontains ' Browser' -and $LevelOne -and (Test-Path - LiteralPath $Path )) {
102+ Set-ItemProperty - LiteralPath $Path - Name ' Start' - Value 4 - Verbose
103+ Write-Host " 'CIS 81.3 (L1) Computer Browser (Browser)' is set to 'Disabled'"
104+ }
105+
106+ # Table of Services
107+ $ServiceTable = @"
108+ Name CISRef CISLevel Description
109+ BTAGService 81.1 L2 Bluetooth Audio Gateway Service
110+ bthserv 81.2 L2 Bluetooth Support Service
111+ MapsBroker 81.4 L2 Downloaded Maps Manager
112+ GameInputSvc 81.5 L2 GameInput Service
113+ lfsvc 81.6 L2 Geolocation Service
114+ IISADMIN 81.7 L1 IIS Admin Service
115+ irmon 81.8 L1 Infrared monitor service
116+ lltdsvc 81.9 L2 Link-Layer Topology Discovery Mapper
117+ LxssManager 81.1 L1 LxssManager
118+ FTPSVC 81.11 L1 Microsoft FTP Service
119+ MSiSCSI 81.12 L2 Microsoft iSCSI Initiator Service
120+ sshd 81.13 L1 OpenSSH SSH Server
121+ Spooler 81.14 L2 Print Spooler
122+ wercplsupport 81.15 L2 Problem Reports and Solutions Control Panel Support
123+ RasAuto 81.16 L2 Remote Access Auto Connection Manager
124+ SessionEnv 81.17 L2 Remote Desktop Configuration
125+ TermService 81.18 L2 Remote Desktop Services
126+ UmRdpService 81.19 L2 Remote Desktop Services UserMode Port Redirector
127+ RpcLocator 81.2 L1 Remote Procedure Call (RPC) Locator
128+ RemoteRegistry 81.21 L2 Remote Registry
129+ RemoteAccess 81.22 L1 Routing and Remote Access
130+ LanmanServer 81.23 L2 Server
131+ simptcp 81.24 L1 Simple TCP/IP Services
132+ SNMP 81.25 L2 SNMP Service
133+ sacsvr 81.26 L1 Special Administration Console Helper
134+ SSDPSRV 81.27 L1 SSDP Discovery
135+ upnphost 81.28 L1 UPnP Device Host
136+ WMSvc 81.29 L1 Web Management Service
137+ WerSvc 81.3 L2 Windows Error Reporting Service
138+ Wecsvc 81.31 L2 Windows Event Collector
139+ WMPNetworkSvc 81.32 L1 Windows Media Player Network Sharing Service
140+ icssvc 81.33 L1 Windows Mobile Hotspot Service
141+ WpnService 81.34 L2 Windows Push Notifications System Service
142+ PushToInstall 81.35 L2 Windows PushToInstall Service
143+ WinRM 81.36 L2 Windows Remote Management (WS-Management)
144+ WinHttpAutoProxySvc 81.37 L2 WinHTTP Web Proxy Auto-Discovery Service
145+ W3SVC 81.38 L1 World Wide Web Publishing Service
146+ XboxGipSvc 81.39 L1 Xbox Accessory Management Service
147+ XblAuthManager 81.4 L1 Xbox Live Auth Manager
148+ XblGameSave 81.41 L1 Xbox Live Game Save
149+ XboxNetApiSvc 81.42 L1 Xbox Live Networking Service
150+ "@ | ConvertFrom-Csv - Delimiter " `t "
151+
152+ foreach ($service in $serviceTable ) {
153+ if (
154+ $ExcludeList -notcontains $service.Name -and
155+ (
156+ ($service.CISLevel -eq ' L1' -and $LevelOne ) -or
157+ ($service.CISLevel -eq ' L2' -and $LevelTwo )
158+ )
159+ ) {
160+ try {
161+ $svc = Get-Service - Name $service.Name - ErrorAction Stop
162+ } catch {
163+ # If the service isn't installed, it's considered compliant - not an error
164+ Write-CISServiceStatus - Service $service - Status ' Not Installed'
165+ continue
166+ }
167+
168+ if ($svc.Status -ne ' Stopped'
169+ try {
170+ Stop-Service - Name $service.Name - Force - ErrorAction Stop
171+ Write-CISServiceStatus - Service $service - Status ' Stopped'
172+ } catch {
173+ Write-Warning " Could not stop service '$ ( $service.Name ) ': $ ( $_.Exception.Message ) "
174+ }
175+ }
176+
177+ if ($svc.StartType -ne ' Disabled'
178+ try {
179+ Set-Service - Name $service.Name - StartupType Disabled - ErrorAction Stop
180+ Write-CISServiceStatus - Service $service - Status ' Disabled'
181+ } catch {
182+ Write-Warning " Could not disable service '$ ( $service.Name ) ': $ ( $_.Exception.Message ) "
183+ # Increment error count on compliance failure
184+ $ErrorCount ++
185+ continue
186+ }
187+ }
188+
189+ Write-CISServiceStatus - Service $service - Status ' Disabled'
190+ }
191+ }
192+
193+ Stop-LoggingExit - ExitCode $ErrorCount
0 commit comments