Court documents from the arrest of an alleged Scattered Spider hacker reveal Microsoft assigns every Windows installation a persistent Global Device ID (GDID) that can link a PC to its online activity, even when the user is hiding behind a VPN.
- The FBI used Microsoft's GDID records, obtained via court order, to connect a 19-year-old suspect's PC to specific websites, timestamps and hacking tools.
- The GDID survives Windows updates and has no consumer-facing off switch; only a full Windows reinstall generates a new one.
- Signing into Windows with a Microsoft account makes it easier to tie the identifier to a person, and researchers suspect Apple and others hold similar capabilities.
Your Windows PC has a secret ID number, and Microsoft just used one to unmask a hacker
According to the unsealed criminal complaint, Peter Stokes allegedly hacked an unnamed luxury jewellery retailer in May 2025 while using a VPN, which would normally make tracing his real location and identity considerably harder. It did not help him here. After a court order, Microsoft handed investigators records associating a specific GDID with his activity, including a visit to the ngrok signup page at a precise timestamp and connections to servers at hosting provider Tzulo used in the attack.
The complaint quotes a Microsoft representative describing the GDID as “a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device or virtual machine, across certain Microsoft services and scenarios.” The records reportedly included web activity timestamps, IP addresses and tool usage, which investigators used to connect the dots and identify the suspect.
Unique device identifiers themselves are not unusual. Tech companies use them for crash reporting, diagnostics, spotting abuse like repeated free trials, and flagging logins from unfamiliar devices. What surprised security researchers is the granularity: Microsoft could apparently associate the GDID with visits to third-party services and when they happened, which starts to look like activity tracking without needing browser cookies at all.
Why you can’t just turn it off
This is where it gets uncomfortable for everyday users. The GDID survives Windows updates on the same device, and there is no setting anywhere in Windows to disable it. The only way to get a fresh one is a full reinstall of Windows, which means one person can accumulate multiple GDIDs over time, but also that scrubbing the identifier requires nuking your entire setup.
Even that may not buy much anonymity. If you sign into Windows with a Microsoft account, the new GDID can plausibly be matched to the old one through your account login, IP address and usage patterns. Windows offers plenty of privacy toggles, and you can even disable Bing in Windows 11 Search, but nothing in the settings touches this identifier. Cybersecurity expert Matthew Hickey went as far as declaring “Microsoft Windows is surveillance software” in response, while Microsoft has only briefly acknowledged the device ID on a support page and has not commented publicly on the case.
Probably not just Microsoft
Before anyone rage-installs Linux, it is worth noting that researchers doubt this capability is unique to Redmond. Cybersecurity researcher Costin Raiu, speaking on the Three Buddy Problem podcast, questioned whether Apple has the same or even deeper tracking, possibly tied to hardware so that a reinstall changes nothing. “Very likely it’s not unique to Microsoft,” he said, suggesting that genuine anonymity would require Linux or FreeBSD environments tunnelled through proxies, Tor and VPNs.
For most people in the UAE and elsewhere, the practical impact is modest: this identifier was surfaced through a court order in a criminal investigation, not casual snooping. But it is a useful reminder that a VPN hides your traffic from your ISP, not your operating system from its maker. If your threat model includes the platform itself, the tools you need go well beyond a VPN subscription.
FAQ
What is Microsoft's Global Device ID (GDID)?
The GDID is a persistent, device-level identifier that uniquely tags each installation of Windows, on both physical PCs and virtual machines, across certain Microsoft services. It is used for diagnostics, abuse detection and account security, but court documents show it can also link a device to specific online activity.
Can you disable or reset the Windows Global Device ID?
There is no consumer setting to disable the GDID. It survives Windows updates, and the only way to generate a new one is a complete reinstall of Windows. Even then, Microsoft could potentially match a new GDID to the old one via a Microsoft account login or IP address.
Does a VPN stop Microsoft from tracking your Windows PC?
No. In the Scattered Spider case, the suspect used a VPN, but Microsoft's GDID records still tied his Windows installation to specific websites, timestamps and tools. A VPN hides your traffic from your network provider, not your operating system's own telemetry.


