It's discouraging this has been sitting here for 6 years. It would definitely be a nice feature. I was just encouraged in a support ticket to put in an enhancement request for this very thing. Here's my 2 cents. I have an admin user who is actually manually stopping the Screenconnect service. In the past, I've used Symantec Endpoint Protection, and Bitdefender Gravity Zone, and they both had the ability to password protect the agent such that it couldn't be uninstalled or stopped by even an admin if they didn't have the specific password to do so. I know this is not an antivirus program but IT WOULD BE AWESOME if we could have a way to protect the services from being stopped and the agent from being uninstalled. We are only dealing with corporate owned devices.
Customer support service by UserEcho
This would have been a worthwhile feature, for sure. However, since it didn't seem like it was ever going to happen, I finally found a workaround that worked "enough" for my needs. I don't want to post links here, but you can look up "sc sdset" and find documentation. Basically, you have to use the Security Templates snap-in to create a template and then you can set the permissions on any system services that you want...save the template, open the template to get the SDDL string for the service(s) and permissions...and deploy in some way to your machines. The command will look something like "sc.exe sdset LTService D:AR(D;;DCWPDTCRSD;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" I had to deploy with Intune, unfortunately, but I figured out a way. This was NOT something I was familiar with, so I played with it a lot before I deployed to anything, and I created a security template to UNLOCK everything and created scripts for that so that I have them when I need them. Service lock and unlock scripts. Maybe this will help somebody out there. It was a huge pain, but it was the only thing that worked in my environment.