Securing Windows 11 for Privacy - A Minimal Work Station [Part 1 of 2]
Strip down Win11 to a lean, privacy-focused machine with one PowerShell script
Every time you boot up Windows 11, it’s phoning home. Telemetry. Advertising IDs. Activity history. Cortana listening. Xbox services running even if you’ve never touched a controller.
Microsoft ships Windows with everything turned on by default. If you’re using your PC for work, especially through a VPN, you don’t need any of that. You need a clean, quiet system that does what you tell it and nothing more.
Here’s how to take back control.
What This Script Does
I wrote a PowerShell script that automates the process of stripping Windows 11 down to essentials. It’s designed for work machines: VPN access, Office apps, web browsing. Not gaming rigs or media centers.
The script handles 6 areas:
- Disables tracking services - Telemetry, diagnostics, Xbox services
- Removes bloatware apps - Cortana, Bing apps, Xbox, OneDrive, and more
- Applies privacy registry tweaks - Turns off advertising ID, activity history, tailored experiences
- Cleans up the taskbar - Removes widgets, Chat, Task View clutter
- Disables telemetry scheduled tasks - Stops background data collection
- Blocks tracking folder recreation - Prevents Connected Devices Platform from coming back
What it leaves alone:
Windows Defender (you still need security)- Windows Update (you still need patches)
- Core system functionality
Before You Run This
Read this first:
- This modifies your system. Back up anything important before running.
- Some changes are difficult to reverse. Removed apps can be reinstalled, but registry changes require manual cleanup.
- Test on a non-critical machine first if you’re unsure.
- Not for gaming PCs. This disables Xbox services. Gamers, look elsewhere.
- Run as Administrator. The script requires elevated privileges.
Best used for:
- Work laptops
- VPN-only machines
- Office/productivity setups
- Privacy-conscious users
- Corporate/BYOD devices you control
The Script
Download: Save this as Win11-Minimal-WorkStation.ps1
#Requires -RunAsAdministrator
<#
.SYNOPSIS
Windows 11 Minimal Work Station Script
.DESCRIPTION
Strip down Windows 11 to a lean, privacy-focused VPN/Office work machine.
Disables telemetry, removes bloatware, applies privacy registry tweaks,
cleans up taskbar clutter, and blocks tracking services.
.NOTES
Script Name : Win11-Minimal-WorkStation.ps1
Version : 1.0
Author : The Captain Dumbass
Created : 2026-01-25
License : MIT
Repository : https://thecaptaindumbass.com/
.EXAMPLE
powershell -ExecutionPolicy Bypass -File .\Win11-Minimal-WorkStation.ps1
Run as Administrator in PowerShell with temporary execution policy bypass.
.LINK
https://thecaptaindumbass.com/
#>
Write-Host "=== Windows 11 Minimal Work Station Setup ===" -ForegroundColor Cyan
Write-Host "This script will disable telemetry, bloatware, and tracking." -ForegroundColor Yellow
Write-Host ""
# --- SERVICES TO DISABLE ---
Write-Host "[1/6] Disabling unnecessary services..." -ForegroundColor Green
$servicesToDisable = @(
"DiagTrack", # Telemetry
"dmwappushservice", # WAP Push Message Routing
"Connected User Experiences and Telemetry",
"CDPSvc", # Connected Devices Platform
"CDPUserSvc", # Connected Devices Platform User Service
"SysMain", # Superfetch
"XblAuthManager", # Xbox Live Auth
"XblGameSave", # Xbox Live Game Save
"XboxGipSvc", # Xbox Accessory Management
"XboxNetApiSvc", # Xbox Live Networking
"WSearch" # Windows Search (optional - comment out if you search locally)
)
foreach ($service in $servicesToDisable) {
$svc = Get-Service -Name $service -ErrorAction SilentlyContinue
if ($svc) {
Stop-Service -Name $service -Force -ErrorAction SilentlyContinue
Set-Service -Name $service -StartupType Disabled -ErrorAction SilentlyContinue
Write-Host " Disabled: $service" -ForegroundColor Gray
}
}
# --- REMOVE BLOATWARE APPS ---
Write-Host "[2/6] Removing bloatware apps..." -ForegroundColor Green
$appsToRemove = @(
"Microsoft.549981C3F5F10", # Cortana
"Microsoft.BingNews",
"Microsoft.BingWeather",
"Microsoft.GamingApp",
"Microsoft.GetHelp",
"Microsoft.Getstarted",
"Microsoft.MicrosoftSolitaireCollection",
"Microsoft.People",
"Microsoft.PowerAutomateDesktop",
"Microsoft.Todos",
"Microsoft.WindowsAlarms",
"Microsoft.WindowsFeedbackHub",
"Microsoft.WindowsMaps",
"Microsoft.WindowsSoundRecorder",
"Microsoft.Xbox.TCUI",
"Microsoft.XboxGameOverlay",
"Microsoft.XboxGamingOverlay",
"Microsoft.XboxIdentityProvider",
"Microsoft.XboxSpeechToTextOverlay",
"Microsoft.YourPhone",
"Microsoft.ZuneMusic",
"Microsoft.ZuneVideo",
"Clipchamp.Clipchamp",
"Microsoft.OneDrive"
)
foreach ($app in $appsToRemove) {
Get-AppxPackage -Name $app -AllUsers -ErrorAction SilentlyContinue | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue
Get-AppxProvisionedPackage -Online | Where-Object DisplayName -eq $app | Remove-AppxProvisionedPackage -Online -ErrorAction SilentlyContinue
Write-Host " Removed: $app" -ForegroundColor Gray
}
# --- REGISTRY TWEAKS - PRIVACY ---
Write-Host "[3/6] Applying privacy registry tweaks..." -ForegroundColor Green
# Disable Telemetry
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Value 0 -Type DWord -Force -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Force -ErrorAction SilentlyContinue | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Value 0 -Type DWord -Force
# Disable Activity History
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "EnableActivityFeed" -Value 0 -Type DWord -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "PublishUserActivities" -Value 0 -Type DWord -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name "UploadUserActivities" -Value 0 -Type DWord -Force -ErrorAction SilentlyContinue
# Disable Advertising ID
New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Force -ErrorAction SilentlyContinue | Out-Null
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" -Name "Enabled" -Value 0 -Type DWord -Force
# Disable App Launch Tracking
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "Start_TrackProgs" -Value 0 -Type DWord -Force
# Disable Tailored Experiences
New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" -Force -ErrorAction SilentlyContinue | Out-Null
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" -Name "TailoredExperiencesWithDiagnosticDataEnabled" -Value 0 -Type DWord -Force
Write-Host " Privacy registry keys applied" -ForegroundColor Gray
# --- DISABLE TASKBAR CLUTTER ---
Write-Host "[4/6] Cleaning up taskbar..." -ForegroundColor Green
# Disable Widgets
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Dsh" -Force -ErrorAction SilentlyContinue | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Dsh" -Name "AllowNewsAndInterests" -Value 0 -Type DWord -Force
# Disable Chat/Teams icon
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarMn" -Value 0 -Type DWord -Force -ErrorAction SilentlyContinue
# Disable Task View button
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowTaskViewButton" -Value 0 -Type DWord -Force
# Disable Search box (show icon only)
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" -Name "SearchboxTaskbarMode" -Value 1 -Type DWord -Force
Write-Host " Taskbar cleaned" -ForegroundColor Gray
# --- DISABLE SCHEDULED TASKS ---
Write-Host "[5/6] Disabling telemetry scheduled tasks..." -ForegroundColor Green
$tasksToDisable = @(
"\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser",
"\Microsoft\Windows\Application Experience\ProgramDataUpdater",
"\Microsoft\Windows\Autochk\Proxy",
"\Microsoft\Windows\Customer Experience Improvement Program\Consolidator",
"\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip",
"\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector",
"\Microsoft\Windows\Feedback\Siuf\DmClient",
"\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
)
foreach ($task in $tasksToDisable) {
Disable-ScheduledTask -TaskName $task -ErrorAction SilentlyContinue | Out-Null
Write-Host " Disabled task: $task" -ForegroundColor Gray
}
# --- BLOCK CONNECTED DEVICES PLATFORM FOLDER ---
Write-Host "[6/6] Blocking Connected Devices Platform folder recreation..." -ForegroundColor Green
$cdpPath = "$env:LOCALAPPDATA\ConnectedDevicesPlatform"
if (Test-Path $cdpPath) {
Remove-Item $cdpPath -Recurse -Force -ErrorAction SilentlyContinue
}
New-Item $cdpPath -ItemType File -Force -ErrorAction SilentlyContinue | Out-Null
attrib +r +s +h $cdpPath
Write-Host " CDP folder blocked" -ForegroundColor Gray
# --- DONE ---
Write-Host ""
Write-Host "=== COMPLETE ===" -ForegroundColor Cyan
Write-Host "Reboot your system for all changes to take effect." -ForegroundColor Yellow
Write-Host ""
Write-Host "Note: Windows Defender and Windows Update remain enabled for security." -ForegroundColor White
How to Run It
Step 1: Download the Script
Copy the script above and save it as Win11-Minimal-WorkStation.ps1 on your desktop (or anywhere you can find it).
Step 2: Open PowerShell as Administrator
- Press Win + X
- Select Terminal (Admin) or Windows PowerShell (Admin)
- Click Yes on the UAC prompt
Step 3: Navigate to the Script
cd $HOME\Desktop
Or wherever you saved the script.
Step 4: Run It (With Temporary Execution Policy Bypass)
Most Windows systems have script execution disabled by default. Instead of permanently changing this setting, use the -ExecutionPolicy Bypass flag to allow this script only:
powershell -ExecutionPolicy Bypass -File .\Win11-Minimal-WorkStation.ps1
Why this is better:
- Only bypasses execution policy for this one script
- Doesn’t permanently change your security settings
- Reverts automatically when the script finishes
- No need to remember to change it back
Step 5: Reboot
After the script completes, restart your computer for all changes to take effect.
Next: In Part 2, we’ll verify that everything was applied correctly and troubleshoot any issues.
What Gets Disabled (Detailed)
Services Disabled
| Service | What It Does | Why Disable It |
|---|---|---|
| DiagTrack | Sends telemetry to Microsoft | Privacy |
| dmwappushservice | WAP push messaging | Not needed for work |
| CDPSvc/CDPUserSvc | Connected Devices Platform | Cross-device tracking |
| SysMain | Superfetch/prefetch | Can cause disk thrashing |
| Xbox services | Gaming features | Not needed for work machines |
| WSearch | Windows Search indexing | Optional - uses resources |
Apps Removed
- Cortana - Voice assistant (tracking)
- Bing News/Weather - Microsoft data collection
- Xbox apps - Gaming services
- Your Phone - Phone Link tracking
- OneDrive - Cloud sync (install manually if needed)
- Feedback Hub - Telemetry submission
- Clipchamp - Video editor bloatware
- Zune Music/Video - Legacy media apps
Registry Changes
| Setting | Effect |
|---|---|
| AllowTelemetry = 0 | Disables telemetry collection |
| EnableActivityFeed = 0 | Stops activity history |
| PublishUserActivities = 0 | Prevents activity sync |
| UploadUserActivities = 0 | Blocks activity uploads |
| Advertising ID Enabled = 0 | Disables ad tracking |
| Start_TrackProgs = 0 | Stops app launch tracking |
| TailoredExperiences = 0 | Disables personalized ads |
Taskbar Cleanup
- Widgets - Disabled (news/weather panel)
- Chat icon - Hidden (Teams integration)
- Task View - Hidden (virtual desktops button)
- Search - Reduced to icon only (not full bar)
Customization
Want to Keep Windows Search?
Comment out line in $servicesToDisable:
# "WSearch" # Windows Search (optional - comment out if you search locally)
Want to Keep OneDrive?
Remove from $appsToRemove:
# "Microsoft.OneDrive"
Want a Different Taskbar Layout?
Modify the taskbar section. For example, to keep the search bar:
# Comment this out to keep search bar
# Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" -Name "SearchboxTaskbarMode" -Value 1 -Type DWord -Force
Reverting Changes
To restore removed apps:
Open Microsoft Store and search for the app name. Most can be reinstalled.
To re-enable services:
Set-Service -Name "DiagTrack" -StartupType Automatic
Start-Service -Name "DiagTrack"
To reset registry values:
You’ll need to manually delete or change the registry keys, or restore from a backup.
Best practice: Create a System Restore point before running the script.
Checkpoint-Computer -Description "Before Win11 Minimal Script" -RestorePointType "MODIFY_SETTINGS"
Additional Resources
- Microsoft Privacy Dashboard - See what Microsoft has collected
- O&O ShutUp10++ - GUI alternative for privacy settings
- Privatezilla - Another privacy tool for Windows
TL;DR
- Windows 11 phones home constantly by default
- This script disables telemetry, removes bloatware, and applies privacy settings
- Use
-ExecutionPolicy Bypassfor temporary script execution - Reboot after running for changes to take effect
- Windows Defender and Updates stay enabled - this is about privacy, not security
- Best for work machines - not gaming PCs
- Next: Part 2 covers verification and troubleshooting
Your Turn
Do you trust Windows with your data out of the box?
What privacy tools do you use on Windows?
Any services or apps you’d add to the removal list?
Drop a comment below!