Microsoft admits Windows 11 has a GDID tracker with no off switch, first documented publicly in an FBI hacker complaint
Microsoft handed the FBI a way to trace a Scattered Spider hacker through VPNs and three countries using a Windows fingerprint most of the 1.6 billion Windows users never knew existed. We break down how GDID works, what caught Peter Stokes, and which privacy settings really reduce your exposure. The post Microsoft admits Windows 11 has a GDID tracker with no off switch, first documented publicly in an FBI hacker complaint appeared first on Windows Latest
A 19-year-old walked through Helsinki airport in April 2026 carrying two 2TB hard drives and a ticket to Japan. He couldn’t make that flight. Finnish police stopped him on an Interpol Red Notice, and by July, US prosecutors had unsealed a federal complaint identifying him as Peter Stokes, an alleged member of the Scattered Spider hacking group, wanted over a May 2025 breach of a US luxury jewelry retailer that ended in an $8 million ransom demand.
No, we haven’t suddenly turned into a crime reporting publication, but it was Microsoft that handed the FBI a way to trace Stokes’ Windows PC across VPNs, proxy servers, and three countries. The tool is called a Global Device Identifier, or GDID, and outside a handful of enterprise documentation pages, most Windows users had never heard the term before this case made it public.
We went through the full 39-page complaint, cross checked it against independent reverse engineering of how Windows generates and transmits this identifier, and fact checked the technical claims since the story broke. Here is everything you need to know about GDID, how it caught Stokes, and what it means if you are one of the 1.6 billion people using Windows PCs.

What is GDID, and where does it come from
The complaint quotes a Microsoft representative describing the GDID as “a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios”
A Global Device ID (GDID) is a permanent, unique digital fingerprint that Microsoft automatically assigns to your computer when you install Windows or sign into a Microsoft account.
Microsoft uses it to manage software licensing and Windows Store apps, but because it links all your online activities on that computer back to a single identity, law enforcement can use it to track a device’s true owner across the internet
It survives Windows updates. It does not survive a clean reinstall, and Microsoft’s footnote in the complaint admits “one Microsoft user could have multiple GDIDs” over the life of a single account.
Microsoft said what the GDID does without saying where it is inside Windows. For that, independent researchers had to reverse engineer it, because Microsoft has published exactly one sentence about GDID in the Azure Monitor reference for Delivery Optimization reporting, where a column called GlobalDeviceId is described only as “Microsoft global device identifier. This is an identifier used by Microsoft internally.”
How Windows generates a GDID
The real chain starts with the Microsoft Account service.

When Windows provisions a device against a Microsoft Account, a system service called wlidsvc talks to login.live.com and gets back what Microsoft calls a Device PUID, a Passport Unique ID, inside the server’s SOAP response. Server assigned. Windows never computes it locally from anything on your PC. It receives a string and stores it.
The PUID lands in your own registry hive, in plain text, at HKCU\SOFTWARE\Microsoft\IdentityCRL\ExtendedProperties under a value named LID. From there, the Connected Devices Platform, the same background service (cdp.dll, running as CDPSvc) that powers Phone Link, cloud clipboard, and Nearby Share, reads that PUID and registers it into Microsoft’s Device Directory Service, which is the identity graph behind all of Microsoft’s cross device features. There, the number gets a lowercase g stuck in front and gets written as g:decimal. Delivery Optimization then reports that same value back to Microsoft’s servers as UCDOStatus.GlobalDeviceId every time your PC shares or downloads update data peer to peer.
Now for the version in plain English: Sign into Windows with a Microsoft Account, and a server assigns your installation a permanent ID number. Windows stores it locally, several background services read it, and it gets stamped onto activity your PC reports back to Microsoft.
Reinstall Windows and you get a new number, but Microsoft’s own records give every reason to link the new one back to the old, through the same account, OneDrive, and activation history, which is close to what happened to Stokes.
How the FBI used GDID to catch Stokes
Stokes got caught because he used the same Windows device for everything, and the GDID stitched all of it back together after the fact.
Scattered Spider members phoned the jewelry retailer’s IT help desk from Google Voice numbers, posed as locked out employees, and talked support staff into resetting three accounts, two with administrator privileges. From there they installed a tunneling tool called ngrok to get past the retailer’s network defenses, moved roughly 77 gigabytes of data to Amazon cloud storage using ngrok and a second tool called Teleport, tried and failed to deploy ransomware, then sent a ransom email with the subject line “IMPORTANT: WE STOLE THE DATA, CONTACT UMMEDIATELY [sic].” They asked for $8 million in cryptocurrency. The retailer refused, ate roughly $2 million in cleanup costs, and moved on.
Investigators later subpoenaed ngrok and found the account used in the attack had been created on May 12, 2025, at 19:21 UTC from a VPN proxy IP address run by Tzulo, a hosting provider. The IP was a dead end. VPN proxies do that. But the GDID is built different.

Microsoft’s records showed that at that exact same minute, a Windows device carrying GDID g:6755467234350028 had visited the ngrok signup page. Three hours later, the same GDID visited the retailer’s own website, through the same Tzulo proxy address used to set up the ngrok account. It gave the FBI a device, that don’t rotate the way VPN exit nodes do.
From there the investigation turned into connecting dots. Once agents had a timeline of every IP address that device had used, they cross referenced it against known logins to accounts prosecutors already suspected belonged to Stokes:
- On June 4, 2024, the GDID’s device used an IP address in Tallinn, Estonia, where Stokes lived. The same IP had logged into his Snapchat account four minutes before that and his Facebook account about 80 minutes after.
- On November 17 and 18, 2024, the same device showed up on a New York IP address, matched to logins on one of Stokes’ Apple accounts and his Snapchat account. Weeks later, on November 26, the same device visited the website for the Empire Hotel in New York, matching another confirmed Stokes trip. He’d posted a Snapchat photo the day before that investigators matched, down to the carpet and wallpaper, against publicly advertised photos of an Empire Hotel suite.
- On February 2, 2025, the device appeared on a Thailand based IP, matched again to his Apple and Snapchat logins. Stokes had posted a Snapchat photo captioned “WALDORF ASTORIA BANGKOK” the day before.
- On January 8, 2025, the same device, now back on an Estonian IP, logged into the mobile game Growtopia. The day before, that same IP address had accessed one of Stokes’ Apple accounts, then a Ubisoft account tied to that Growtopia login two minutes later.
Of course, all these activities doesn’t seem suspicious when taken individually. What made the case is that the same GDID and physical Windows installation, kept showing up at the exact times as accounts investigators already knew were Stokes’, across four countries over roughly eight months.
Note that, Microsoft had already flagged Stokes to the FBI once before, in an October 2024 criminal referral describing “online services telemetry.
Why this bothers privacy researchers, even with a hacker caught
Nobody is arguing the wrong person got arrested. Stokes is accused, with the rest of Scattered Spider, of over 100 corporate intrusions and $100 million-plus in ransom payments, per the DOJ’s numbers. The system worked as intended here.
What has researchers uneasy is everything else the case reveals. Costin Raiu, a well-known malware researcher, asked on the Three Buddy Problem podcast how much of this exists on other platforms, and whether it is linked more permanently to hardware. Matthew Hickey, another security researcher, called Windows “surveillance software”.

Two things back that up:
- There’s no consent screen. A GDID gets assigned when you sign into a Microsoft Account. Apple’s advertising identifier needs an App Tracking Transparency prompt and a visible reset; Android’s works the same way. GDID has neither, and a Windows reinstall only gets you a new number Microsoft can still get back to the same account.
- Then there’s activation. Massgrave, the group behind Microsoft Activation Scripts, notes that Windows setup sends hardware info to Microsoft and gets identifiers back, the same tokens later used for Store access and licensing: “It’s impossible to prevent Windows from getting a GDID without breaking activation and UWP app[s].” Anyone who lost a license after swapping a motherboard has already met a smaller version of this.
Yes, every major OS keeps some persistent device identity, and every vendor can be subpoenaed. But what differs with Microsoft is visibility and control, and Windows loses on both against Apple and Google’s platforms.
What you can do about it
Reinstalling Windows isn’t the fix people assume. You get a new GDID but sign back into the same Microsoft Account and Microsoft has every reason to connect it to your old activity anyway. A few things help more:
- Use a local account instead of a Microsoft Account, but we are also aware of how difficult it has become to skip signing in with a Microsoft account. Fortunately, the company is making it easier.

- Turn off optional diagnostic data under Settings > Privacy & security > Diagnostics & feedback.

- Block Advertising IDs by toggling off personalized ads and launch tracking under Privacy & security > Recommendations & offers.

- Disable Cloud Search by turning off Cloud Content Search from Privacy & security > Search to stop local searches from sending data to Bing.

- See our guide on stripping unwanted AI features and background services out of Windows 11.
- For journalism, activism, or domestic abuse situations, skip Windows and use Linux routed through Tor instead of a commercial VPN. A GDID doesn’t care which VPN you use, only that it’s still the same Windows installation.
Our take
Am I glad Stokes got caught? Yes, without hesitation. Thirty-five pages of a teenager bragging about diamond chains spelling out “HACK THE PLANET” while extorting a jewelry store don’t leave much room for sympathy, whatever role Microsoft’s telemetry played in building the case.
But that doesn’t make the GDID okay. Every company selling you software has some version of this, and a persistent device identity is a reasonable thing to build into activation and fraud systems. What gets me is that most people had never come across the term GDID before a federal court filing such as this. Microsoft wrote one sentence about it in an Azure Monitor reference table meant for enterprise IT admins pulling update reports, not for the 1.6 billion or so regular people whose PCs are generating this data.
You might be tech savvy enough to turn off Activity History, pick a local account, and strip out every scrap of optional telemetry, but none of it changes the fact that the identifier exists, and that it answers to your Microsoft Account instead of you. Microsoft only told the public about it once a court forced the issue.
The post Microsoft admits Windows 11 has a GDID tracker with no off switch, first documented publicly in an FBI hacker complaint appeared first on Windows Latest
admin