I use ACLs to restrict access to mmc.exe to the admin account only. That way, lots of mmc things are not available to the attacker since I use the Standard account daily.
Which Windows 11 Services Are Safe to Disable?
- Thread starter lokamoka820
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
Print Spooler
BitLocker drive encryption service
Windows Biometric Service
AssignedAccessManager
Geolocation Service
Parental Controls
WalletService
Fax
Payments and NFC/SE Manager
Phone Service
Print Device Configuration Service
Sensor Service
Server
Shared PC Account Manager
you can get help from this list
BitLocker drive encryption service
Windows Biometric Service
AssignedAccessManager
Geolocation Service
Parental Controls
WalletService
Fax
Payments and NFC/SE Manager
Phone Service
Print Device Configuration Service
Sensor Service
Server
Shared PC Account Manager
you can get help from this list
@sophiakaile Disabling Sensor Service will make some of Settings > System > Power not work on Win 11 24H2.
Last edited:
I'm experiencing the same issue on my freshly installed system, suggesting it's a Windows 11 24H2 bug.
I think the developer still on Windows 10 (depending on his video tutorial), and this feature (the network & internet connection shortcut on settings app) is just available in Windows 11, so I guess he didn't notice this bug, I'm still on 23H2 so it is not just related to 24H4.
I reverted to a clean system image, and the settings panel displays internet connection. I'll see if I can identify the problem.
I could not find the problem. After the clean image backup, the only operations I performed were disabling Windows Services, disabling Microsoft Defender and Firewall, and installing Comodo Firewall. I repeated these operations on a clean system image, and the settings dashboard shows "internet connected."
Thank you so much @rashmi for your efforts, I think I should contact the developer to fix the issue, anyway the recommended services from you and other members in this thread and the article from @oldschool were very helpful for me, which makes me understand what I'm disabling (or make manual instead of automatic) rather than following 3rd party app blindly (with respect to the app because the issue is not crucial).
Yes, manually disabling services is better. Third-party tools might forcefully disable services that display "access denied" error messages.
I re-enabled the "Microsoft Account Sign-in Assistant" service because it prevents downloads from the Microsoft Store.
UPDATE:
I contacted Pegasun System Utilities's developer to report the issue about its service optimizer tool, and after testing we found that it was working perfectly (so it is completely safe to use to optimize system services), so he asked me to reproduce the issue and send a screenshot to be sure that it is not a one time issue, and finally I get the issue again (I think it was in the "Tune up computer" section rather than "Service Manager" section in the "Optimization Toolbox"), and I'm waiting for a response.
Here is the issue where the internet connection shows that it is not connected while in fact it is connected, maybe it is a registry entry mess:
I contacted Pegasun System Utilities's developer to report the issue about its service optimizer tool, and after testing we found that it was working perfectly (so it is completely safe to use to optimize system services), so he asked me to reproduce the issue and send a screenshot to be sure that it is not a one time issue, and finally I get the issue again (I think it was in the "Tune up computer" section rather than "Service Manager" section in the "Optimization Toolbox"), and I'm waiting for a response.
Here is the issue where the internet connection shows that it is not connected while in fact it is connected, maybe it is a registry entry mess:
There is no one holistic approach, everyone has different system environment. To disable services based on your own needs you need to make your own walk-trough, but be aware of their dependencies. There are lots of guides based on some 'majority needs' approach, I find them all lacking in some way. The best solution is your own 
Is this the one?
Harden Windows 10/11 to Improve Security & Privacy | SysHardener
A powerful application to harden Windows 10/11 to mitigate cybersecurity threats, restrict functionalities of Windows that you don't need and reduce the attack surface.
www.syshardener.com
Or the one you said OSA System Hardener is different?
@lokamoka820
For extreme configuration :
For windows 10/11, If you use only a pc in a admin account and you have your own media player and you don't use VSC (Visual Studio Code) , with no outside accessories like servers and printer etc.. (no remote) the only thing you need is the NET Framework with sharing port enabled if you use a logical firewall not physical, and a sandbox windows ( available only on a windows pro or higher and want to isolate ONLY third party process that are not signed with a windows certificate accepted in your kernel -> See CertMgr.msc ). Also if you use VMWARE Workstation pro or other virtual Machine and a sandbox is already inside your VM (you don't need Hyper V (can cause a conflict) and windows sandbox anymore).
My recommendation of a local configuration : (without independent soft)
- hyper V enabled (without VMWARE) - Host Guardian Service enabled (if you want to harden your VM on a compatible Os server)
- NET framework (all versions you have) with sharing TCP port enabled
- sandbox windows (Pro - Enterprise) enabled (without Sandboxie or other Sandbox solution like deepfreeze) - Configure your Bios - Virtualisation must be active.
For extreme configuration :
For windows 10/11, If you use only a pc in a admin account and you have your own media player and you don't use VSC (Visual Studio Code) , with no outside accessories like servers and printer etc.. (no remote) the only thing you need is the NET Framework with sharing port enabled if you use a logical firewall not physical, and a sandbox windows ( available only on a windows pro or higher and want to isolate ONLY third party process that are not signed with a windows certificate accepted in your kernel -> See CertMgr.msc ). Also if you use VMWARE Workstation pro or other virtual Machine and a sandbox is already inside your VM (you don't need Hyper V (can cause a conflict) and windows sandbox anymore).
My recommendation of a local configuration : (without independent soft)
- hyper V enabled (without VMWARE) - Host Guardian Service enabled (if you want to harden your VM on a compatible Os server)
- NET framework (all versions you have) with sharing TCP port enabled
- sandbox windows (Pro - Enterprise) enabled (without Sandboxie or other Sandbox solution like deepfreeze) - Configure your Bios - Virtualisation must be active.
You may also like...
-
-
How can I disable signing in to a Microsoft account on Windows 11?
- Started by rashmi
- Replies: 5
-
Microsoft Finally Releases the November Week D Preview Update for Windows 11- Started by Gandalf_The_Grey
- Replies: 1
-
-
Help: Comodo 2025 - cmdguard.sys - boot fail with newer Nvidia drivers- Started by Something-x2
- Replies: 33