TL;DR - Every Windows install gets a permanent, unique ID called a Global Device ID (GDID), created the moment you install Windows or sign in with a Microsoft account. It survives reinstalls and updates. Microsoft uses it for licensing and Store apps, but it also links everything that device does back to one identity, and we only know how far that reach goes because Microsoft handed the FBI a full IP history tied to a GDID to help trace an alleged member of the Scattered Spider hacking group across VPNs and multiple countries. There is no opt-out, no consent screen, and no way to turn it off without breaking Windows activation. What to do: you can't switch GDID off, but you can turn off the extra diagnostic data riding alongside it, and go in with your eyes open about what "signed in with a Microsoft account" actually means.
By The Numbers
| Thing | Figure |
|---|---|
| What GDID is | A permanent, unique ID for your Windows install |
| When it's created | At Windows install, or Microsoft account sign-in |
| Does it survive updates | Yes |
| Consent screen or opt-out | None |
| Countries the alleged hacker's device was traced across | Multiple, via VPNs and proxies |
| Suspect's age | 19 |
| Ransom demand in the case that unravelled | $8 million in crypto |
I went looking for mine
I opened Regedit on my own machine the other night, the way I imagine a few thousand other IT people did the same week. I wasn't expecting to find anything shocking. I've known for years that Windows phones home with diagnostic data, and I've spent a fair chunk of my career telling clients which toggles to flip to cut that down. What I hadn't clocked was that underneath all the diagnostic settings, there's a single number tied to my install that isn't a setting at all. It's not something you can see in Settings. It's not something you agreed to. It's just there, assigned the moment Windows talked to Microsoft's servers, and it has apparently been there the whole time.
That number is called a Global Device ID, GDID for short, and it went from an obscure line in Microsoft's technical documentation to front-page tech news this month for a reason that has nothing to do with me checking my own registry and everything to do with a federal court filing.
What GDID actually is
Microsoft's own description of it, buried in documentation almost nobody reads, calls it a persistent, device-level identifier designed to uniquely identify a Windows installation "across certain Microsoft services and scenarios." In plain terms: the moment you install Windows or sign into a Microsoft account on it, a background service contacts Microsoft's servers and gets handed a unique ID for that specific physical machine. It sits in your registry. It gets read by Microsoft's device directory and reported back as part of ordinary telemetry.
Reinstall Windows and you get a new GDID, but Microsoft can still tie it back to your account history, so a fresh install doesn't buy you a fresh start. Microsoft uses it for boring, legitimate things: software licensing, Windows Store and UWP app entitlements, making sure the copy of Windows on your machine is the one you're allowed to run. That part isn't sinister on its own. Lots of software needs to know which device it's talking to.
The part that turns it into a privacy story is what it's capable of once someone with the right legal authority asks Microsoft to pull the history behind it: a device-level identity that persists across reinstalls, account switches, and, as it turns out, VPNs.
The court filing that made this public
I want to be careful here, because the person at the centre of this case hasn't been convicted of anything, and this post isn't about him. A US federal criminal complaint, unsealed this month, names a 19-year-old dual US-Estonian citizen as an alleged member of the Scattered Spider hacking group. He's alleged to be connected to a May 2025 breach of a US luxury jewellery retailer that ended in an $8 million cryptocurrency ransom demand, though the retailer's own security team pushed the intruders out before any ransom was paid. He was picked up by Finnish police at Helsinki airport, reportedly trying to board a flight to Japan, and was extradited to the US to face charges of conspiracy, computer intrusion, and fraud. He's presumed innocent unless and until a court says otherwise. The names and the crime aren't the point here; what the case exposed about every Windows machine is.
What made the case a tech story rather than just a crime story is how investigators say they placed him at the keyboard. According to reporting on the complaint, the FBI obtained a history of IP addresses tied to his device's GDID from Microsoft, spanning months and multiple countries, even while he was routing through VPNs and proxy servers. Investigators are then reported to have cross-referenced that IP history against logins to accounts already tied to him, personal accounts, not the hacking ones, to place the same device in the same locations at the same times, over and over. A device identifier doesn't know or care whether you're doing something illegal or just doing your taxes. It just persists, quietly, in the background, waiting for someone with a subpoena to ask for the log.
I'm not writing this to relitigate the case. I'm writing it because most of us assumed a VPN meant our IP history was, at worst, scattered across dozens of exit nodes with no thread tying them together. This case is a demonstration that the thread can exist somewhere else entirely: not in the network layer, but baked into the operating system itself.
The part that should bother you even if you've never broken a law
The part that actually sat with me after reading through the reporting on this wasn't that GDID exists. Most operating systems have some version of a device identifier tucked away somewhere. It was that there's apparently no published Microsoft policy on when GDID data gets handed over, no consumer opt-out, and no transparency reporting that breaks out how often it's disclosed. Microsoft publishes broad law-enforcement request numbers the way most big tech companies do, but nothing specific to this identifier. You can't see it in Settings, you can't consent to it or decline it, and there's no annual report telling you how many times a year it gets pulled.
Trying to strip it out yourself doesn't really work either. People have tried deleting the registry value or spoofing it, and the consensus from the people who dig into this kind of thing is that you can't remove GDID without breaking Windows activation and your Store apps, because the same ID that identifies you to investigators is the one proving your copy of Windows is legitimate. It's a security feature and a tracking feature built out of the same piece of plumbing, which is a very Microsoft way for this to have happened.
None of that makes GDID unique. Every phone, every Mac, every games console has some version of a persistent device identity behind the scenes. What's different here is that this is the first time we've seen, in black and white in a public court filing, exactly what that identity can be used to reconstruct: months of movement, across multiple countries, through tools that were supposed to make you anonymous.
What you can actually do about it
I'm not going to pretend there's a setting that turns GDID off, because there isn't, and anyone telling you otherwise is selling something. What you can do is smaller than that, but it's not nothing.
- Trim the diagnostic data riding alongside it. Go to Settings > Privacy & security > Diagnostics & feedback and set it to Required diagnostic data only, turn off "tailored experiences," and use the Delete button to clear what's already been collected. This doesn't touch GDID, but it does shrink the pile of everything else Windows sends home with it.
- Turn off personalised recommendations. Settings > Privacy & security > Recommendations & offers and Search permissions both have toggles worth switching off if you'd rather Windows not build a profile of what you search and click.
- Use a local account where your workflow allows it. GDID gets tied to your Windows install regardless, but a Microsoft account sign-in links it directly to your Microsoft identity in a way a local account doesn't. If you don't need OneDrive, Store purchases, or cross-device sync, a local account keeps one fewer thread connected.
- Know what you're actually running. This is less a checklist item and more the whole point of writing this. If your threat model genuinely requires that a device can't be tied back to you, Windows was never built for that job, and no setting will make it so. That's a decision to make with clear eyes, not a bug to patch.
I want to be honest about the size of this advice: it reduces the noise around GDID, it doesn't remove GDID. For the overwhelming majority of people reading this, that's completely fine, because the identifier existing isn't the threat. Not knowing it exists, and assuming a VPN was doing more than it actually does, is closer to the real one.
Key Takeaways
- GDID is permanent and unremovable. It's created at Windows install or Microsoft account sign-in, survives updates, and can't be turned off without breaking Windows activation.
- There's no consent screen and no opt-out. You were never asked, and there's nowhere in Settings to say no.
- A VPN hides your IP, not your device identity. This case shows a device-level ID can be traced across VPNs and proxies when the underlying operating system is doing its own reporting.
- Microsoft has no public GDID disclosure policy. No transparency report breaks out how often this specific identifier gets shared with law enforcement.
- You can shrink the surrounding telemetry, not GDID itself. Diagnostic data settings, recommendation toggles, and a local account all help. None of them remove the underlying ID.
FAQ
Q: Wait, does this mean Microsoft is spying on everyone, all the time?
Not in the sense of actively watching what you do. GDID is closer to a persistent serial number Microsoft can look up on request, usually under legal process like a subpoena, than an always-on surveillance feed. The concern isn't that Microsoft is reading your screen. It's that a permanent identity for your device exists, with no visibility into when or how often it gets handed over.
Q: I use a VPN. Am I actually protected?
A VPN still does real work: it hides your IP address from the sites you visit and from your ISP. What it doesn't do is erase device-level identifiers baked into the operating system itself, which is exactly what this case demonstrates. Think of a VPN as protecting the network layer, not the machine underneath it.
Q: Does this affect Mac or Linux users too?
macOS and iOS have their own device identifiers Apple can use internally, though Apple's public stance on law-enforcement disclosure and opt-outs differs from what's been reported about GDID. Linux, particularly a distribution you install and manage yourself without a vendor account tied to it, has nothing directly equivalent. If device-level tracking is a genuine concern for your situation, that's a meaningful difference between the platforms worth knowing about.
Q: Should I be worried about this if I've done nothing wrong?
Not worried, exactly, but it's worth updating your mental model. Most of us assumed "properly configured, up to date, sensible browsing habits" was the whole privacy picture. This case is a reminder that the operating system itself is part of that picture too, and it's one most people have never been given the chance to look at, let alone adjust.
Q: Is there any way to actually remove GDID?
People have tried deleting the registry value or attempting to spoof it. The consistent finding from the people who've dug into this is that you can't get rid of it without breaking Windows activation and your Store apps. It's tied into the same plumbing that proves your Windows licence is legitimate.
My Take
I've spent fifteen-odd years telling people to check what their software actually does before they trust it, and this one caught me anyway. Not because GDID is some grand conspiracy, I don't think it is. Microsoft built it to solve a real problem: proving a copy of Windows is legitimately licensed on a specific machine. It's the kind of thing that makes complete sense from inside a product team and looks very different from the outside, once you realise nobody ever told you it was there, and nobody built you a way to say no.
What changes this week isn't the identifier. It's that we can finally see, in a public document, what it's capable of when someone with the right legal authority comes asking. Multiple countries, months of movement, VPNs that were supposed to be the whole point, all tied back to one number sitting quietly in a registry key. That's a genuinely useful tool when it's helping trace someone accused of an $8 million ransom demand. It's also an uncomfortable thing to learn exists on every Windows machine in the house, including the one my kids do their homework on, with no button anywhere that lets any of us decide whether we're okay with that.
I'm not telling you to throw out Windows over this, and I haven't. I am telling you to stop assuming a VPN and a strong password are the whole privacy story, because the operating system underneath them has opinions of its own about who you are, and for now, at least, you don't get a vote.
Stay safe out there, Mat C
<hr/>Securing your workplace? You are probably your family's IT person too.
The same instinct that made me go check my own registry - know what's actually on your machine before you assume it's private - is the one that keeps your family safe online.
Get my Personal Security Quick-Start Guide - the 193-page practical handbook for busy people who want to protect their families without becoming cybersecurity experts.
Plus: Join 158+ Australians getting one 5-minute security briefing every Friday.
Mathew Clark Founder, SecureInSeconds Currently: checking what else is sitting quietly in the registry.
Further Reading
- Windows 11 identifier used to track Scattered Spider perp after Microsoft shared info with FBI (Tom's Hardware, July 2026) - the original reporting connecting GDID to the arrest.
- Windows telemetry backlash: GDID tracking exposes Scattered Spider hacker (Cybernews, July 2026) - how investigators cross-referenced the IP history against known accounts.
- Microsoft GDID: how Windows led the FBI to a hacker (Proton VPN, July 2026) - the privacy-advocate take, including what alternatives exist.
- Microsoft admits Windows 11 has a GDID tracker with no off switch (Windows Latest, July 2026) - the technical breakdown of how GDID is created and why it can't be removed.
- The Scattered Spider crew just pleaded guilty - a different set of alleged members, same loose collective, and the embarrassingly simple trick they used before any of this GDID tracing came into play.
- The FBI just shut down a 2-million-device botnet - another case this month where law enforcement's reach into everyday devices turned out to be bigger than expected.
- Your AI agent runs as you - what runs on your machine with your permissions, and why that question keeps coming back around.
- How email tracking pixels work (and how to kill them) - the other quiet identifier riding along with everything you do online.


