As with most previous version of Windows, it would be a big improvement in the security of Windows 10 if Microsoft didn`t run a lot of services by default, and instead left it to users to switch on services if they need them.
Every service that is running or can be run increases the attack surface of the computer, and provides facilities within the operating system that malware or attackers might find useful.
To help harden Windows 10, there are many services that can be disabled - but as before, it depends on how you want to use the computer - so be prepared to spend quite a lot of time working out which services can be safely disabled, and which ones are required for the way you want to use the computer. You need to take account of service dependencies, as well as the primary function of the service.
You can control services through the "System Configuration" GUI tool available through "Control Panel" / "Administrative Tools", but using it for this is more for stopping services in the course of fault finding, rather than for permanent configuration.
A better tool is the "Services" tool available through "Control panel" / "Administrative Tools" / "Services".
To change whether a service starts up automatically, is started manually, or is disbled, highlight the service, right click on it, and select Properties.
Some of the services in Windows 10 are legacy services that are the same as on previous versions of Windows - if you don`t want interaction with older versions of Windows, they can and should be disabled.
Windows 10 has many of the same services that exist in Windows 8.1, however some have been dropped, and quite a few have been added. And would you believe, some of the famously insecure services that appeared in Windows NT are still there in Windows 10, and running by default.
I`m still working my way through them all, but here are some of the services that so far, I reckon can be disabled - this list is built around the way I expect to use Windows 10 as a desktop - your list will probably need to be different. The Startup Type after each service is the original setting.
When Microsoft was developing Windows 10, one of the things that emerged was their enthusiasm for the idea of tracking everything that users were doing.
Not content with setting up Windows 10 to do user tracking, they also pushed down the ability to do user tracking on Windows 7 and Windows 8.1, by using the update service to push down an optional update.
On a Windows 7 Pro machine that was set to receive optional updates, this update installed a service called "Diagnostics Tracking Service", which was the service that was to do user tracking. I of course disabled it, and went for broke, and also disabled the other three diagnostic services. The machine runs fine without them, and so does Windows 8.1. Hopefully, by reducing the amount of diagnostics going on, there is less data for Microsoft to get its hands on.
I have included these three diagnostic services in the list above of services to disable, and I have also included another one which is new to Windows 10, called "Connected User Experiences and Telemetry". There is some information on the web that this service manages the collection of various bits of useage information. So it seems to be a good one to disable.
There are two services that are particularily involved in Windows Update - the primary one is of course "Windows Update", and at the moment on my Windows 10 laptop, I have it disabled.
There is another service that is required for Windows update to work, it is "Background Intelligent Transfer Service" - this is the service that interacts with the networking side of Windows, and uses unused periods of network time to do the uploading and downloading of Windows updates.
So if it is disabled, Windows update doesn`t work.