Verifying Your Windows 11 Privacy Setup [Part 2 of 5]

Windows Systems January 26, 2026

Confirm your privacy changes actually stuck - because Windows has a habit of undoing them

Prerequisite

This guide assumes you have already run the privacy script from Part 1: Securing Windows 11 for Privacy. If you have not, start there first.

Why Verify?

Windows has a habit of re-enabling things. Updates can restore settings. Some services are stubborn. Before you assume you are protected, confirm it.

The verification script checks:

Services are actually disabled
Bloatware apps are removed
Registry keys are set correctly
The CDP folder block is in place

The Verification Script

Save this as Win11-Verify-Minimal.ps1 and run it in PowerShell. Admin is not required for verification since it only reads settings.

Write-Host "=== Verifying Minimal Work Station Setup ===" -ForegroundColor Cyan
Write-Host ""

# Check Services
Write-Host "[Services - Should be Disabled/Stopped]" -ForegroundColor Yellow
$services = @("DiagTrack", "CDPSvc", "CDPUserSvc", "SysMain", "XblAuthManager", "WSearch")
foreach ($svc in $services) {
    $s = Get-Service -Name $svc -ErrorAction SilentlyContinue
    if ($s) {
        $status = if ($s.StartType -eq "Disabled") { "OK - Disabled" } else { "STILL ENABLED" }
        $color = if ($s.StartType -eq "Disabled") { "Green" } else { "Red" }
        Write-Host "  $svc : $status" -ForegroundColor $color
    } else {
        Write-Host "  $svc : Not Found (OK)" -ForegroundColor Green
    }
}

Write-Host ""

# Check Bloatware Apps
Write-Host "[Bloatware Apps - Should be Removed]" -ForegroundColor Yellow
$apps = @("Microsoft.BingNews", "Microsoft.XboxGamingOverlay",
          "Microsoft.OneDrive", "Microsoft.YourPhone", "Clipchamp.Clipchamp")
foreach ($app in $apps) {
    $pkg = Get-AppxPackage -Name $app -ErrorAction SilentlyContinue
    $status = if ($pkg) { "STILL INSTALLED" } else { "OK - Removed" }
    $color = if ($pkg) { "Red" } else { "Green" }
    Write-Host "  $app : $status" -ForegroundColor $color
}

Write-Host ""

# Check Registry Keys
Write-Host "[Privacy Registry Keys]" -ForegroundColor Yellow
$telemetry = (Get-ItemProperty -Path `
    "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" `
    -Name "AllowTelemetry" -ErrorAction SilentlyContinue).AllowTelemetry
$adId = (Get-ItemProperty -Path `
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" `
    -Name "Enabled" -ErrorAction SilentlyContinue).Enabled

$telStatus = if ($telemetry -eq 0) { "OK - Disabled" } else { "NOT SET" }
$telColor = if ($telemetry -eq 0) { "Green" } else { "Red" }
Write-Host "  Telemetry: $telStatus" -ForegroundColor $telColor

$adStatus = if ($adId -eq 0) { "OK - Disabled" } else { "NOT SET" }
$adColor = if ($adId -eq 0) { "Green" } else { "Red" }
Write-Host "  Advertising ID: $adStatus" -ForegroundColor $adColor

Write-Host ""

# Check CDP Folder Block
Write-Host "[Connected Devices Platform Folder]" -ForegroundColor Yellow
$cdpPath = "$env:LOCALAPPDATA\ConnectedDevicesPlatform"
if (Test-Path $cdpPath -PathType Leaf) {
    Write-Host "  CDP Folder: OK - Blocked (exists as file)" -ForegroundColor Green
} elseif (Test-Path $cdpPath -PathType Container) {
    $items = (Get-ChildItem $cdpPath -ErrorAction SilentlyContinue).Count
    Write-Host "  CDP Folder: EXISTS with $items items" -ForegroundColor Red
} else {
    Write-Host "  CDP Folder: Deleted (may recreate)" -ForegroundColor Yellow
}

Write-Host ""
Write-Host "=== Verification Complete ===" -ForegroundColor Cyan

How to Run It

Press Win + X and select Terminal or Windows PowerShell
Navigate to the script: cd $HOME\Desktop (or wherever you saved it)
Run: powershell -ExecutionPolicy Bypass -File .\Win11-Verify-Minimal.ps1

Understanding the Output

All Green = Success

If every line shows green text, your system is locked down. The script ran correctly and everything held after reboot.

Red Items = Needs Attention

If you see STILL ENABLED or STILL INSTALLED, something did not take. See the troubleshooting section below.

Yellow Items = Partial

Yellow means the change happened but is not fully secured. For example, a deleted CDP folder without the blocking file in place will likely come back.

Troubleshooting

Service Shows "STILL ENABLED"

The service did not get disabled. Fix it manually as Administrator:

# Run as Administrator
Set-Service -Name "DiagTrack" -StartupType Disabled
Stop-Service -Name "DiagTrack" -Force

Replace DiagTrack with the service name shown in red. Common reasons: script was interrupted, Windows Update re-enabled it, or Group Policy override on corporate machines.

App Shows "STILL INSTALLED"

The app was not removed. Remove it manually as Administrator:

# Run as Administrator
Get-AppxPackage -Name "Microsoft.BingNews" -AllUsers | Remove-AppxPackage -AllUsers

Replace Microsoft.BingNews with the app name shown in red. Common reasons: app was in use during removal, provisioned for new users, or it is a protected system app.

Registry Key Shows "NOT SET"

The registry key was not applied. Add it manually as Administrator:

Telemetry:

# Run as Administrator
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" `
    -Name "AllowTelemetry" -Value 0 -Type DWord -Force

Advertising ID:

New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Force | Out-Null
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" `
    -Name "Enabled" -Value 0 -Type DWord -Force

CDP Folder Shows "EXISTS with X items"

The folder block did not work. Fix it manually as Administrator:

# Run as Administrator
$cdpPath = "$env:LOCALAPPDATA\ConnectedDevicesPlatform"
Remove-Item $cdpPath -Recurse -Force -ErrorAction SilentlyContinue
New-Item $cdpPath -ItemType File -Force | Out-Null
attrib +r +s +h $cdpPath

This deletes the folder, creates a file with the same name, and marks it read-only, system, and hidden. Windows cannot recreate the folder because a file already exists there.

Re-Running After Updates

Windows Updates can undo your changes. After major updates:

Run the verification script
Note any red items
Re-run the main script if needed, or fix manually

I recommend running verification monthly or after any Windows feature update.

Manual Verification (Without Script)

If you prefer to check things by hand:

Check Services:

Get-Service DiagTrack, CDPSvc, SysMain | Select-Object Name, Status, StartType

Look for StartType: Disabled.

Check Apps:

Get-AppxPackage -Name *Bing*, *Xbox*, *YourPhone* | Select-Object Name

If nothing returns, they are removed.

Check Telemetry Registry:

Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name AllowTelemetry

Should show AllowTelemetry : 0.

Check CDP Folder:

Test-Path "$env:LOCALAPPDATA\ConnectedDevicesPlatform" -PathType Leaf

Should return True (it is a file, not a folder).

Resources

Part 1: Securing Windows 11 for Privacy - The main script
Microsoft Privacy Dashboard - See what Microsoft has collected
O&O ShutUp10++ - GUI alternative for privacy settings

Part 1: Securing Windows 11 Part 3: Ditch the Microsoft Account