Is there a way to set a GPO to check if a service is running and if it is not, start it?
For instance if malware or user stops a service such as the Windows Update service, it should be automatically restarted at the next policy refresh.
The other setting I would like to change the permissions so on only members of specific security groups (such as helpdesk to domain admins) can make changes to the service.
There are users who Google: "How to turn off Windows updates" and decide to stop/disable the update service so they don't have to install updates.