Instead of listing the slew of services to be kneecapped, I'll share the shorter list of just what to execute:
In the NIC's properties, uncheck, or even uninstall all things except TCP/IP4 including and especially Server, Workstation and all of the Link Discovery junk that only seems to work at Bill Gates mansion.
In Services like the menu you attached, run only the DNS client and disable DHCP client in lieu of entering your own legal address and Google's 8.8.8.8 / 8.8.4.4 servers.
Unset the Default Use NetBios over TCP/IP in your NIC's properties.
sc config tcpip6 start= disabled
Since only Google uses TCP/IPv6 on their WANs.
Windows Update and the endless patches, patches for the patches and horizon full of .NetService Pack Critical Sec Updates are successfully avoided in my network by defining a FW outbound policy too lengthy to describe generically.