On June 30, 2026, a federal cybercrime complaint unsealed in the case against an alleged Scattered Spider member did more than detail a botched ransomware attempt. It laid bare a Windows feature that most users have never heard of: the Global Device Identifier, or GDID. The document shows how investigators used that persistent identifier to connect a single Windows installation across changing IP addresses, a VPN, and months of online activity — correlating everything from intrusion tools to hotel bookings long after the suspect tried to cover his tracks.

A Federal Complaint Unmasks Windows’ Hidden Identifier

Peter Stokes, a 19‑year‑old dual US‑Estonian citizen, faces conspiracy, cyber intrusion, and fraud charges. The allegations are not proven, and he is entitled to the presumption of innocence. Yet the filing itself reveals a startling capability. According to a Microsoft representative quoted in the complaint, a GDID is “a persistent, device‑level identifier intended to uniquely identify an installation of Windows across certain Microsoft services and scenarios.” It can represent Windows running on physical hardware or a virtual machine, and it survives routine operating‑system updates. Reinstall Windows, and you get a fresh GDID; otherwise, it stays put.

That is not the same as a hardware‑baked super‑cookie. But it is durable enough to survive the network‑layer tricks an ordinary user might deploy for anonymity. The GDID lives at the operating‑system level, tied to the installation. When you sign into services, when apps phone home, when Windows itself checks for updates or reputation data, the GDID can tag along. Microsoft uses it for activation, device synchronization, telemetry, fraud prevention, and threat intelligence. The problem is that no control panel tells the user that this tag exists, when it was created, which components submit it, or how long the records linger.

Independent researchers have tried to fill the gaps. Technical reports link the GDID’s creation and storage to Microsoft account identity components, the Connected Devices Platform, and Microsoft’s device‑directory services. The Delivery Optimization engine also carries a field called GlobalDeviceId. Some findings suggest a GDID can be issued even without an actively connected Microsoft account, though the picture remains murky. Microsoft’s consumer documentation is essentially silent on the matter — the most transparent definition comes from a law‑enforcement affidavit, not from the company’s privacy dashboard.

The VPN Didn’t Fail — the Identifier Succeeded

The intrusion that spawned the case occurred between May 12 and May 15, 2025, against an unnamed luxury jewelry retailer. Prosecutors allege that attackers exfiltrated data and demanded roughly $8 million in cryptocurrency. The retailer paid no ransom, but the digital forensics are what matter here. An ngrok account allegedly used to maintain access was created on May 12 at 19:21 UTC from an IP address belonging to Tzulo, a VPN proxy service. The address alone pointed only to a VPN server.

Microsoft’s records supplied a more durable pivot. According to the complaint, a device carrying a specific GDID accessed the ngrok signup page at the same minute the account was created. About three hours later, the same Windows installation visited the retailer’s website through that very VPN address. Investigators didn’t treat the GDID as a standalone identity card. They compared the device’s IP history with records from Snapchat, Facebook, Apple, Google, Ubisoft, ngrok, Teleport, travel authorities, hotels, and other providers. The GDID appeared from an address in Tallinn, Estonia, on a day when accounts attributed to Stokes used the same address. Later it surfaced in New York and Thailand at times that aligned with travel records and social‑media posts — including a photo allegedly taken inside an Empire Hotel room that matched the GDID’s visit to the hotel’s website.

This is not a story about Windows telemetry single‑handedly defeating a VPN. A VPN conceals your home IP from websites, but it does not stop applications or the OS itself from sending persistent identifiers to their own providers. The GDID let investigators ask a different question: instead of “who owns this changing IP,” they could ask “where has this same Windows installation appeared over time, and which identifiable accounts were used alongside it?” The power is in the correlation.

What the GDID Does — and Doesn’t — Record

The complaint states that Microsoft records linked the GDID to specific web pages: the ngrok signup page, the victim’s site, a hotel website, and a Growtopia login URL. That deserves scrutiny, but it does not establish that Microsoft receives every URL visited by every Windows PC. Several features can process addresses for legitimate security and sync purposes: Microsoft Defender SmartScreen, reputation checks, cloud‑based protection, Edge browser sync, online identity services, and optional diagnostic data can all generate records that include domains or full URLs under certain conditions. The filing doesn’t reveal exactly which component produced each record, nor whether the data came from one telemetry channel, multiple services, or targeted monitoring tied to an existing investigation.

Microsoft had previously submitted cybercrime referrals related to Stokes, so the data may reflect a mix of standard platform logs and threat‑intelligence work. That uncertainty should prevent two extreme conclusions. It is premature to claim Windows continuously uploads everybody’s browsing history. But it is equally difficult to dismiss the privacy implications when a persistent installation identifier can be joined with detailed network and service records — especially when users have no easy way to know that the identifier exists.

What This Means for Every Windows User

The GDID’s sudden public exposure transforms a theoretical privacy concern into a tangible one. Here is the practical impact.

For everyday users
Your Windows PC almost certainly carries a GDID right now. Even if you don’t use a Microsoft account, the identifier may still be generated. If you leave optional diagnostic data turned on — and that’s the default on Home and Pro editions — the data Microsoft collects can include URLs you visit, tagged with your GDID. The Stokes case shows that this data can be subpoenaed, and that the GDID allows law enforcement to assemble a timeline of your device’s activity across locations and services, even when you’re behind a VPN.

For power users and privacy enthusiasts
There is no “Off” switch for the GDID. Disabling all optional telemetry does not delete the identifier; it may simply reduce the volume of what’s transmitted. The GDID lives in Microsoft’s services as much as on your local machine. A clean Windows installation generates a new one, but re‑signing into the same accounts and services can quickly reconnect your identity to the new identifier through other correlating signals.

For IT administrators
Organizations have more levers: Group Policy, mobile‑device management, firewall rules, and diagnostic‑data levels can limit what Windows sends. But you cannot extinguish the GDID through configuration. Disabling Connected Devices Platform or Delivery Optimization services wholesale may break Windows Update, Store content, and cross‑device experiences. Administrators should focus on restricting telemetry to the minimum required (Security level) and auditing Microsoft endpoint traffic, but they must acknowledge that the underlying identifier remains.

How We Got Here

The GDID isn’t new. Reverse engineers have been dissecting it for years. What’s new is the public sightline into its forensic power. The Stokes case — unsealed on June 30, 2026 — is the first public matter where a GDID was used as a tracking identifier containing URLs the defendant visited. It lands in an environment already simmering with discontent about Windows telemetry. Home and Pro editions ship with optional diagnostic data enabled by default, with no simple “Off” toggle in plain sight. Required (Basic) telemetry does not appear to transmit URLs by default, but the GDID itself persists regardless of the diagnostic level. The difference is that Optional/Full can attach visited addresses to that identifier, as Stokes’ setup likely did.

The backstory of the case amplifies the concern. Stokes allegedly used a VPN, the ngrok tunneling service, and Teleport to obscure his origin. He created the ngrok account via a VPN IP. Yet the combination of his GDID, overlapping account activity, and cross‑service subpoenas (Microsoft, Google, Apple, Snapchat, and others) assembled a detailed picture of his physical movements and online actions. This was not a case of one magic click tracing a criminal; it was a lesson in how many digital fingerprints a modern device leaves, regardless of network obfuscation.

What You Can Do Right Now

No single setting will erase your GDID. But you can reduce what Windows sends and limit correlation.

  1. Dial back diagnostic data. Go to Settings > Privacy & security > Diagnostics & feedback and switch from “Optional” to “Required” diagnostic data. Required mode sends only basic information about your device, its settings, and capabilities, not URLs or app‑usage details.
  2. Turn off tailored experiences. In the same section, disable “Tailored experiences” and advertising options. While this doesn’t affect the GDID itself, it limits how Microsoft uses the data linked to it.
  3. Disable activity history. Under Settings > Privacy & security > Activity history, switch off storing activity history on the device and clear any existing history.
  4. Use a local account. Signing in with a local account instead of a Microsoft account reduces direct account‑to‑GDID linkage. However, technical findings suggest the GDID can still be created; a local account just severs one correlation path.
  5. Review your browser sync and security features. If you use Edge, signing out of sync and turning off SmartScreen can prevent URL telemetry from that vector. On Chrome or Firefox, disconnect any Windows‑based sync mechanisms.
  6. Consider third‑party firewall rules — with caution. Blocking known Microsoft telemetry endpoints at the network level can further reduce data leakage, but may interfere with updates and security services. This is a power‑user step that requires ongoing maintenance.
  7. Accept the nuclear option: clean install. A fresh Windows installation generates a new GDID. But if you immediately sign into the same online accounts and reuse the same apps, other identifiers (cookies, account IDs, hardware fingerprints) will quickly rebuild the associations. Reinstalling just for the GDID is akin to burning your house down because a spy knows your address.

Ultimately, the only real fix must come from Microsoft. The company can document the GDID’s lifecycle, provide users with a visible identifier that can be reset or rotated, and clearly disclose what data is tied to it and how long it is retained. Until that happens, Windows users are forced to mitigate a largely invisible tracking surface.

What Comes Next

The Stokes case is a turning point. It puts Microsoft under fresh pressure — from privacy advocates, enterprise customers, and likely regulators — to explain the GDID in terms meant for consumers, not just enterprise telemetry schemas. Expect calls for a dedicated privacy control, akin to the advertising ID reset, that lets users regenerate the GDID on demand. The European Union’s GDPR already requires transparency for identifiers that can be linked to individuals, and this case may trigger new scrutiny from data protection authorities.

For the rest of us, the message is clear: if you rely on a VPN alone for anonymity, you’re missing the forest for the trees. The operating system underneath carries its own indelible marks. The GDID is one of many digital fingerprints — browser canvases, font lists, TLS signatures, DRM tokens — that can uniquely identify a device. The Stokes case proves that when those fingerprints are subpoenaed, they can reconstruct a surprisingly personal map. Until Microsoft offers real controls, that map remains drawn without your permission.