Add Platform Script to disable CIS recommended Windows services

[MadCrabCyder]

Disables Windows services based on CIS Benchmarks Level 1 and Level 2 recommendations.

This script automates the disabling Windows services in compliance with the CIS Benchmarks. It supports both Level 1 and Level 2 controls, with the ability to enable or disable enforcement levels through configuration variables.

• Allows you to control which levels (L1, L2) are enforced using the $LevelOne and $LevelTwo flags.
• Allows you to exclude specific services from being modified using the $ExcludeList array.
• Handles special cases (like Computer Browser) using registry edits to avoid known issues with system drivers (bowser).

Full customization to meet your environment’s specific requirements through three main variables:

# Configuration Variables
$LevelOne  = $true  # Enable or disable enforcement of CIS Level 1 services.
$LevelTwo  = $false # Enable or disable enforcement of CIS Level 2 services.

# List of services to exclude from modification
$ExcludeList = @(
    'ExampleService' # Skip disabling ExampleService
    'WpnService'     # Skip disabling Windows Push Notifications System Service — disabling will severely
                     # degrade functionality for several Intune features, including Autopatch, remote
                     # actions (restart, sync, wipe), and push notifications from the Intune service.
)

[TheFireKahuna]

Not sure if it’s already known but disabling the WpnService, or Windows Push Notifications System Service will severely degrade functionality for several Intune functions, including Autopatch and remote actions.

[MadCrabCyder]

Not sure if it’s already known but disabling the WpnService, or Windows Push Notifications System Service will severely degrade functionality for several Intune functions, including Autopatch and remote actions.

Thanks, I wasn’t aware of this. The list of services to disable was taken directly from the CIS Benchmark.

I could update the script to include WpnService in the default $ExcludeList, along with an inline comment to highlight the potential impact on Intune functionality (e.g., Autopatch, remote actions, etc.).

Do you happen to have any references that detail this behavior? It would be good to include a link in the comment or the README.

Here's what the updated $ExcludeList could look like:

# List of services to exclude from modification
$ExcludeList = @(
    'ExampleService'  # Skip disabling ExampleService
    'WpnService'      # Do not disable WpnService (Windows Push Notifications System Service) —
                      # doing so will severely degrade functionality for several Intune features,
                      # including Windows Autopatch, remote actions (restart, sync, wipe),
                      # and push notifications from the Intune service.
)

[SkipToTheEndpoint]

So I'm not going to merge this one as it stands right now, partially because for most of these services/behaviours there's already alternative mitigations in place by policy, and secondly because I disagree with the CIS on the necessity for some of this stuff.

As @TheFireKahuna mentions, a TON of functionality is driven through WNS , though there doesn't seem to be any Intune-specific documentation explicitly calling this out.
That being said, that service is in their L2 recommendations, which should be understood as "limited functionality" configurations.

I'm currently working through various L2 recommendations with the team at CIS, and I'll make sure to flag this particular one to them.