From 680b36c802e798438b2fcc70095045866d50fd88 Mon Sep 17 00:00:00 2001
From: Graham Williams <gray@fleetdm.com>
Date: Sun, 26 Oct 2025 00:01:03 +0100
Subject: [PATCH] Windows Configuration Profiles - Disabling System Services
 (#34446)

- Uses randomly generated UUID for the CmdID as required by [CmdID
Specs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/d7321df8-ecb2-4c81-8a24-54630bc7456f)
- Created **Device** profile to disable the services as required based
on [Microsoft
Docs](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-systemservices)
- Profiles return as **Verified** in FleetUI
- Event Viewer shows no errors
- Services listed as disabled

Adds configuration profiles for disabling the following services on
startup

Windows Mobile Hotspot Service (icssvc) -
0199f25b-795f-7dee-92cc-0a69d91d6c8a
Internet Connection Sharing (ICS) (SharedAccess) -
0199f25b-795f-76d9-99cb-d122e5b6e6f1
Routing and Remote Access (RemoteAccess) -
0199f25b-795f-7699-8735-e316ffc0564e
Remote Procedure Call (RPC) Locator (RpcLocator) -
0199f25b-795f-7882-9309-44b8f0633b01
SSDP Discovery (SSDPSRV) - 0199f25b-795f-703f-99a1-abecba6b71f8
UPnP Device Host (upnphost) - 0199f25b-795f-7802-9b16-efae4418f444
Windows Media Player Network Sharing Service (WMPNetworkSvc) -
0199f25b-795f-7af7-99ba-2f418f05e77b
World Wide Web Publishing Service (W3SVC) -
0199f25b-795f-7966-a812-4b1d5c5c54cb (Non-standard Service)
Microsoft FTP Service (FTPSVC) - 0199f25b-795f-7d7c-b6ca-597d08a1839d
(Non-standard Service)

---------

Co-authored-by: Dale Ribeiro <dale@fleetdm.com>
---
 .../windows-device-systemservices-ftpsvc-disabled.xml | 11 +++++++++++
 ...device-systemservices-icssharedaccess-disabled.xml | 11 +++++++++++
 .../windows-device-systemservices-icssvc-disabled.xml | 11 +++++++++++
 ...ce-systemservices-routingremoteaccess-disabled.xml | 11 +++++++++++
 ...dows-device-systemservices-rpclocator-disabled.xml | 11 +++++++++++
 ...windows-device-systemservices-ssdpsrv-disabled.xml | 11 +++++++++++
 ...indows-device-systemservices-upnphost-disabled.xml | 11 +++++++++++
 .../windows-device-systemservices-w3svc-disabled.xml  | 11 +++++++++++
 ...s-device-systemservices-wpmnetworksvc-disabled.xml | 11 +++++++++++
 9 files changed, 99 insertions(+)
 create mode 100644 docs/solutions/windows/configuration-profiles/windows-device-systemservices-ftpsvc-disabled.xml
 create mode 100644 docs/solutions/windows/configuration-profiles/windows-device-systemservices-icssharedaccess-disabled.xml
 create mode 100644 docs/solutions/windows/configuration-profiles/windows-device-systemservices-icssvc-disabled.xml
 create mode 100644 docs/solutions/windows/configuration-profiles/windows-device-systemservices-routingremoteaccess-disabled.xml
 create mode 100644 docs/solutions/windows/configuration-profiles/windows-device-systemservices-rpclocator-disabled.xml
 create mode 100644 docs/solutions/windows/configuration-profiles/windows-device-systemservices-ssdpsrv-disabled.xml
 create mode 100644 docs/solutions/windows/configuration-profiles/windows-device-systemservices-upnphost-disabled.xml
 create mode 100644 docs/solutions/windows/configuration-profiles/windows-device-systemservices-w3svc-disabled.xml
 create mode 100644 docs/solutions/windows/configuration-profiles/windows-device-systemservices-wpmnetworksvc-disabled.xml

diff --git a/docs/solutions/windows/configuration-profiles/windows-device-systemservices-ftpsvc-disabled.xml b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-ftpsvc-disabled.xml
new file mode 100644
index 0000000000..dd4400790c
--- /dev/null
+++ b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-ftpsvc-disabled.xml
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureMicrosoftFTPServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-systemservices-icssharedaccess-disabled.xml b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-icssharedaccess-disabled.xml
new file mode 100644
index 0000000000..25b0af4f03
--- /dev/null
+++ b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-icssharedaccess-disabled.xml
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInternetConnectionSharingServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-systemservices-icssvc-disabled.xml b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-icssvc-disabled.xml
new file mode 100644
index 0000000000..f128d3e279
--- /dev/null
+++ b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-icssvc-disabled.xml
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMobileHotspotServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-systemservices-routingremoteaccess-disabled.xml b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-routingremoteaccess-disabled.xml
new file mode 100644
index 0000000000..0423e4df70
--- /dev/null
+++ b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-routingremoteaccess-disabled.xml
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRoutingAndRemoteAccessServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-systemservices-rpclocator-disabled.xml b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-rpclocator-disabled.xml
new file mode 100644
index 0000000000..169b529760
--- /dev/null
+++ b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-rpclocator-disabled.xml
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRemoteProcedureCallLocatorServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-systemservices-ssdpsrv-disabled.xml b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-ssdpsrv-disabled.xml
new file mode 100644
index 0000000000..3a1c7e6b33
--- /dev/null
+++ b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-ssdpsrv-disabled.xml
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSSDPDiscoveryServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-systemservices-upnphost-disabled.xml b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-upnphost-disabled.xml
new file mode 100644
index 0000000000..d479e5bc79
--- /dev/null
+++ b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-upnphost-disabled.xml
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureUPnPDeviceHostServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-systemservices-w3svc-disabled.xml b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-w3svc-disabled.xml
new file mode 100644
index 0000000000..53acf49b53
--- /dev/null
+++ b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-w3svc-disabled.xml
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWorldWideWebPublishingServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-systemservices-wpmnetworksvc-disabled.xml b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-wpmnetworksvc-disabled.xml
new file mode 100644
index 0000000000..26267e42e1
--- /dev/null
+++ b/docs/solutions/windows/configuration-profiles/windows-device-systemservices-wpmnetworksvc-disabled.xml
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>