Windows

What check-list do you use with Windows 10/Windows Server 2016?

What do you use on the must-have list when working in an enterprise environment to optimize PCs and servers?
The question is that in these versions, compared with the previous ones, the maximum amount of self-starting trash.
It can be conditionally agreed that, on average, a PC on board launches: network balls, client-banks, office, 1s, instant messengers, SIP telephony, browsers, mail, remote access tools, printing to printers, commercial equipment ... and so on from a standard average set an office worker may have forgotten something.
From the server side: subd, 1c servers, IIS and Apache web servers, printing to printers, commercial equipment, crypto programs ala vipnet and cryptopro, network balls organized both on it and external, ftp servers, backup software, RDP, hYPER-V ... and so on, again, on average, maybe I forgot something.
Actually, there are situations when, in any case, you need to disable certain application services, etc., regardless of what is running on the server / PC.
Usually what you will not find in nete is so extreme. For example, working with updates or a complete shutdown or as is, and usually you will not find anything described for a home user. That is, let's agree on this issue, not to the detriment of the security and relevance of the software, we are engaged in optimization and with a focus on the enterprise.
For example, what I do primarily, regardless of whether the PC or the server:
1. In gpedit.msc (or in the GPO if the domain)
- Computer Configuration / Administrative Templates / Windows Components / Maps - turn on "Disable unsolicited network traffic ...", " Disable automatic download..."
- Computer Configuration/Administrative Templates/Windows Components/Application Privacy. I disable everything here except access to the microphone, access to trusted devices, access to diagnostic information about other applications
- Computer Configuration / Administrative Templates / Windows Components / Windows Store. I turn everything off here.
- Computer Configuration/Administrative Templates/Windows Components/Search. Here I turn off everything that contains "Cortana".
- Computer Configuration/Administrative Templates/Windows Components/Windows Update. Here "Configure automatic updates" =2.
If we say this RDP server, the specifics are clear, then for it in gpedit I do:
- Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services: session time limit for idle and disconnected sessions of 2 hours each, device and resource redirection disable audio/video redirection, in remote session environment forcibly turn off wallpaper.
Further in regedit:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPSvc I chop
off the CDP of the service that you can disable by specifying the Start=2 key
and in addition to cmd sc config cdpusersvc type=own
Next, I disable and stop the services either by default or by hand , I specify the names of the services and not the display name of the services because the names change regularly from system to system and the service name generally does not:
aspnet_state
PeerDistSvc
CoreScanner
AarSvc_9ef93
CaptureService_9ef93
ConsentUxUserSvc_9ef93
CredentialEnrollmentManagerUserSvc_9ef93
DeviceAssociationBrokerSvc_9ef93
DevicePickerUserSvc_9ef93
DevicesFlowUserSvc_9ef93
diagsvc
GraphicsPerfSvc
KtmRm
MessagingService_9ef93
AppVClient
the ssh-agent
QWave
rsmdriverproviderservice
shpamsvc
smphost
SQLTELEMETRY
WarpJITSvc
WSearch
XboxGipSvc
NcdAutoSetup
tzautoupdate
WwanSvc
CscService
wmiApSrv
WbioSrvc
DevQueryBroker
svsvc
WebClient
vds
autotimesvc
embeddedmode
seclogon
AppReadiness
p2psvc
RasAuto
DsmSvc
XblAuthManager
MapsBroker
p2pimsvc
pla
sppsvc
gpsvc
HgClientService
MSDTC
SNMPTRAP
RpcLocator
RemoteAccess
wcncsvc
SQLBrowser
defragsvc
DoSvc
wercplsupportcastVservecService etc
_
_
_
Then, with my hands, I go to the privacy section and turn off everything related to sending to the microsoft service, receiving data, and other services and functions that are not needed in the work.
The problem is actually how to organize this mess and what sometimes needs to be turned off and what not. For example, on a Windows server, it constantly swears at the MapsBroker service, has anyone ever used it? How to remove this crap? And for example, the LanmanServer service is needed both on the server and on the PC to access network shares, ok, I know what the service is called, but why the hell did Microsoft call the "Server" service, which is also LanmanServer, is it logical? And if this is the TapiSrv service, the service is called telephony and what for it is needed, let's say I use both instant messengers and SIP telephony on my PC and the question is does this service affect the operation of telephony or sound quality? I’m generally silent about the Windows firewall, for example, “AllJoyn Router (incoming TCP)” and I ask if I need it or not.
Another question Microsoft often began to make its own adjustments to the settings, regardless of whether you add the settings you need or not, the next time you update the parameter changes to the one you don’t need. Here, for example, above, I wrote that I disable Cortana in gpedit, but at the same time in the device manager, despite this, the SearchUI process "Suspended" hangs, okay, it's suspended, but what the hell is it eating resources for? I turned you off, why are you dangling in the system.
That is, globally there are 3 questions:
1. Ready-made scripts or methods for disabling unnecessary services and applications. Everything that is googled is copied from each other, the example with Cortana above.
2. A description of what is specifically guaranteed to never be needed in an organization in 99% of cases.
3. Fixing the state of changes, such as Windows updates. On the one hand, you need to update, but update when I want, and not so that despite the fact that you add gpedit, the system can still push updates when it wants.
I am slowly moving to linux, but there are some pitfalls, and besides, it is not always possible to completely leave Windows.