diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index 5c764b532e..b99f534e69 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -100,5 +100,6 @@ #### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md) #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md) ## [Service Host process refactoring](svchost-service-refactoring.md) +## [Per User services in Windows](per-user-services-in-windows.md) ## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) ## [Change history for Application management](change-history-for-application-management.md) diff --git a/windows/application-management/media/gpp-hklm.png b/windows/application-management/media/gpp-hklm.png new file mode 100644 index 0000000000..6e73a3b078 Binary files /dev/null and b/windows/application-management/media/gpp-hklm.png differ diff --git a/windows/application-management/media/gpp-per-user-services.png b/windows/application-management/media/gpp-per-user-services.png new file mode 100644 index 0000000000..6d2d181d93 Binary files /dev/null and b/windows/application-management/media/gpp-per-user-services.png differ diff --git a/windows/application-management/media/gpp-svc-disabled.png b/windows/application-management/media/gpp-svc-disabled.png new file mode 100644 index 0000000000..ba082cec1b Binary files /dev/null and b/windows/application-management/media/gpp-svc-disabled.png differ diff --git a/windows/application-management/media/gpp-svc-start.png b/windows/application-management/media/gpp-svc-start.png new file mode 100644 index 0000000000..6966b6453f Binary files /dev/null and b/windows/application-management/media/gpp-svc-start.png differ diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md new file mode 100644 index 0000000000..47536412b7 --- /dev/null +++ b/windows/application-management/per-user-services-in-windows.md @@ -0,0 +1,142 @@ +--- +title: Per-user services in Windows 10 and Windows Server 2016 +description: Learn about per-user services introduced in Windows 10. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: elizapo +author: lizap +ms.date: 08/14/2017 +--- + +# Per-user services in Windows 10 and Windows Server 2016 + +Per-user services are services that are created when a user signs into Windows or Windows Server and are stopped and deleted when that user signs out. These services run in the security context of the user account - this provides better resource management than the previous approach of running these kinds of services in Explorer, associated with a preconfigured account, or as tasks. + +> [!NOTE] +> Per-user services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services. + +You can't prevent per-user services from being created, but you can configure the template service to create them in a stopped and disabled state. You do this by setting the template service's **Startup Type** to **Disabled**. + +> [!IMPORTANT] +> If you change the template service's Startup Type, make sure you carefully test that change prior to rolling it out in your production environment. + +Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates. + +## Per-user services + +Windows 10 and Windows Server 2016 (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. + +Before you disable any of these services, review the **Description** column in this table to understand the implications, including dependent apps that will no longer work correctly. + +| Key name | Display name | Default start type | Dependencies | Description | +|------------------------|-----------------------------------------|--------------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| CDPUserSvc | CDPUserSvc | Auto | | Used for Connected Devices Platform scenarios | +| OneSyncSvc | Sync Host | Auto (delayed) | | Synchronizes mail, contacts, calendar, and other user data. Mail and other applications dependent on this service don't work correctly when this service is not running. | +| PimIndexMaintenanceSvc | Contact Data | Manual | UnistoreSvc | Indexes contact data for fast contact searching. If you stop or disable this service, search results might not display all contacts. | +| UnistoreSvc | User Data Storage | Manual | | Handles storage of structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | +| UserDataSvc | User Data Access | Manual | UnistoreSvc | Provides apps access to structured user data, including contact info, calendars, and messages. If you stop or disable this service, apps that use this data might not work correctly. | +| WpnUserService | Windows Push Notifications User Service | Manual | | Hosts Windows notification platform, which provides support for local and push notifications. Supported notifications are tile, toast, and raw. | + +## Disable per-user services + +The template service isn't displayed in the Services console (services.msc) so you need to edit the registry directly, either with Group Policy or a scripted solution, to disable a per-user service. + +> [!NOTE] +> Disabling a per-user service simply means that it is created in a stopped and disabled state. When the user signs out, the per-user service is removed. + +You can't manage all of the per-user service templates services using normal Group Policy management methods. Because the per-user services aren't displayed in the Services management console, they're also not displayed in the Group Policy Services policy editor UI. + +Additionally, there are four template services that can't be managed with a security template: +- PimIndexMaintenanceSvc +- UnistoreSvc +- UserDataSvc +- WpnUserService + +In light of these restrictions, you can use the following methods to manage per-user services template services: + +- A combination of a security template and a script or Group Policy preferences registry policy +- Group Policy preferences for all of the services +- A script for all of the services + +### Manage template services using a security template + +You can manage the CDPUserSvc and OneSyncSvc per-user services with a [security template](/windows/device-security/security-policy-settings/administer-security-policy-settings#bkmk-sectmpl). See [Administer security policy settings](/windows/device-security/security-policy-settings/administer-security-policy-settings) for more information. + +device-security/security-policy-settings/administer-security-policy-settings + +For example: + +``` +[Unicode] +Unicode=yes +[Version] +signature="$CHICAGO$" +Revision=1 +[Service General Setting] +"CDPUserSVC".4,"" +``` + +### Manage template services using Group Policy preferences + +If a per-user service can't be disabled using a the security template, you can disable it by using Group Policy preferences. + +1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/en-us/download/details.aspx?id=45520) installed, click **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**. + +2. Create a new Group Policy Object (GPO) or use an existing GPO. + +3. Right-click the GPO and click **Edit** to launch the Group Policy Object Editor. + +4. Depending on how you want to target the Group Policy, under **Computer configuration** or **User configuration** browse to Preferences\Windows Settings\Registry. + +5. Right-click **Registry** > **New** > **Registry Item**. + + ![Group Policy preferences disabling per-user services](media/gpp-per-user-services.png) + +6. Make sure that HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path. + + ![Choose HKLM](media/gpp-hklm.png) + +7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**. + + ![Select Start](media/gpp-svc-start.png) + +8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. + + ![Startup Type is Disabled](media/gpp-svc-disabled.png) + +9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8. + +### Manage template services by modifying the Windows image + +If you're using custom images to deploy Windows, you can modify the Startup Type for the template services as part of the normal imaging process. + +### Use a script to manage per-user services + +You can create a script to change the Startup Type for the per-user services. Then use Group Policy or another management solution to deploy the script in your environment. + +Sample script using [sc.exe](https://technet.microsoft.com/library/cc990290%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396): + +``` +sc.exe configure start= disabled +``` +Note that the space after "=" is intentional. + +Sample script using the [Set-Service PowerShell cmdlet](https://technet.microsoft.com/library/ee176963.aspx): + +```powershell +Set-Service -StartupType Disabled +``` + +## View per-user services in the Services console (services.msc) + +As mentioned you can't view the template services in the Services console, but you can see the user-specific per-user services - they are displayed using the _LUID format (where LUID is the locally unique identifier). + +For example, you might see the following per-user services listed in the Services console: + +- CPDUserSVC_443f50 +- ContactData_443f50 +- Sync Host_443f50 +- User Data Access_443f50 +- User Data Storage_443f50 \ No newline at end of file