You can’t fully disable Microsoft’s GDID Windows 11 tracker, but these settings limit what it captures
AI-summarised brief · reviewed before publication
Microsoft’s Global Device Identifier (GDID) enabled law enforcement to track Peter Stokes, an alleged Scattered Spider hacker, across VPNs and three countries. Finnish police arrested Stokes in April 2026 based on an Interpol Red Notice, leading to a US federal complaint unsealed in July. Prosecutors allege Stokes breached a luxury jewelry retailer in May 2025, demanding an $8 million ransom. The GDID, a persistent device-level identifier assigned during Windows installation or Microsoft account sign-in, uniquely identifies the operating system installation. It survives updates but not clean reinstalls. Independent researchers reverse-engineered the system, revealing the ID originates from a server-assigned Device PUID stored in the Windows registry. Background services like Connected Devices Platform and Delivery Optimization transmit this identifier to Microsoft’s servers. While primarily used for licensing and cloud features, the GDID links online activities to a single device identity. This mechanism allowed the FBI to bypass anonymity tools, tracing Stokes’ Windows PC despite his use of proxy servers. The case highlights the forensic utility of Microsoft’s internal tracking infrastructure for international criminal investigations.
💡 Why It Matters
- · The GDID functions as an unremovable digital fingerprint that persists even when users employ sophisticated anonymity tools like VPNs.
- · This reveals a critical vulnerability in digital privacy assumptions, proving that standard consumer operating systems can facilitate cross-border law enforcement tracking without user consent or explicit forensic cooperation.