Microsoft Just Admitted Windows Has a Hidden Tracker You Can't Turn Off

A federal complaint has revealed Microsoft's hidden GDID tracker, a persistent Windows identifier that survives updates and can tie your online activity back to your device.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

The Windows device you've been using for years contains a tracking mechanism capable of linking your online activity and interactions with third-party applications back to your identity. For the first time, Microsoft has acknowledged the existence of the Global Device Identifier (GDID)[1] in a federal complaint.

GDID is permanent, survives Windows updates, and there’s no opt-out option for the 1.6 billion Windows users, essentially making it a largely unavoidable surveillance tool. Is this another Microsoft Recall fiasco unfolding right in front of us?

Although GDID helped the FBI arrest Peter Stokes — an individual accused of attempting to launch a ransomware attack against a large U.S. jewelry retailer, among other cybercrimes — cybersecurity experts are worried about the privacy implications of a global tracking mechanism that cannot be turned off.

In this article
Microsoft finally admits to a device tracker
How GDID helped investigators track a cybercriminal
Why is GDID a privacy concern
Reinstalling Windows gives you a new GDID, but you're still trackable
What can you do to protect yourself
Bottom line

Microsoft finally admits to a device tracker

GDID is an identifier tied to your Windows hardware, assigned when Windows is set up with a Microsoft account.

"A Global Device Identifier in the Windows ecosystem is a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios," says the 39-page federal complaint filed by U.S. prosecutors against Peter Stokes.

This is the first time Microsoft has publicly acknowledged the existence of GDID. Prior to this, Microsoft only briefly mentioned GDID in its Azure documentation, with virtually no details about how it works.

How GDID helped investigators track a cybercriminal

It's fair to say that Peter Stokes made little effort to hide his tracks. He used the same Windows device for all his online activities, and GDID was quick to tie everything back together.

Stokes used a tunneling tool called ngrok to bypass the retailer's network defenses, transferring 77 GB of data to Amazon Cloud storage. When investigators subpoenaed ngrok, they found that the account had been created on May 12, 2025, at 19:21 UTC using a VPN (Virtual Private Network) proxy IP address from Tzulo.

Microsoft's records showed that at that exact time, a Windows device with GDID g6755467234350028 visited the ngrok sign-up page. Three hours later, the same GDID device visited the jewelry retailer's website using the same Tzulo proxy IP address.

This gave investigators reason to suspect Stokes and continue tracking his online activities over the following months.

  • In June, Stokes' GDID device logged into his Snapchat and Facebook accounts within the same session using an IP address in Estonia.
  • In November, the same GDID device appeared on a New York IP address while visiting the Empire Hotel's website. A Snapchat photo posted a day earlier helped investigators match the carpet and wallpaper of the Empire Hotel suite.
  • In February, the device appeared on a Thailand-based IP address.
  • In January, it was back on an Estonian IP address, where Stokes lived, accessing the mobile game Growtopia.

While Stokes changed IP addresses and moved from country to country, one thing remained constant throughout all his online activity: the same Windows GDID.

After months of tracking, investigators were convinced that Stokes had initially accessed ngrok's sign-up page, confirming his identity through multiple Snapchat and Facebook logins, as well as website visits. He was arrested at Helsinki Airport in April 2026 on an Interpol Red Notice.

Why is GDID a privacy concern

Cybersecurity expert Matthew Hickey describes Microsoft Windows as "surveillance software,” and for good reason.

First, though, it's not entirely surprising to see a global tracking identifier. After all, tech companies use similar mechanisms to track subscriptions and enforce usage limits.

However, Microsoft appears to go a step further, using GDID to track a user's online activities and interactions with third-party services.

There’s also no option for users to opt out, nor is there any consent screen. Unlike Apple's advertising identifier, which requires an App Tracking Transparency prompt and provides a visible reset option, GDID has no equivalent consent mechanism.

Another issue is Windows activation. According to Massgrave, the developers behind Microsoft Activation Scripts, when you install Windows, your hardware details are sent to Microsoft in exchange for a set of identifiers. These are the same tokens Windows later uses for Store downloads and license verification.

“It's impossible to prevent Windows from getting a GDID without breaking activation and UWP apps," Massgrave says.

In other words, you cannot disable these identifier mechanisms without breaking the very system that keeps your copy of Windows activated and your Microsoft Store apps functioning.

Reinstalling Windows gives you a new GDID, but you're still trackable

The official complaint states that while GDID survives Windows updates, it doesn’t survive a Windows reinstallation. This means that uninstalling and reinstalling Windows generates a new GDID, allowing a single device to accumulate multiple identifiers over time.

That said, once you sign back into your Microsoft account after reinstalling Windows, Microsoft could easily link your old GDID to the new one, effectively continuing the identification chain.

This is possible because every Microsoft account has a Passport Unique Identifier (PUID), which is tied to the account itself rather than the device. So, when you sign in using a new GDID, that identifier is linked straight back to the same PUID.

What can you do to protect yourself

While it's not entirely possible to remove GDID from your Windows system altogether, here are a few steps you can take to reduce the amount of data attached to your GDID.

  1. Use a local account instead of a Microsoft account: A local account doesn't require a cloud sign-in, meaning no PUID is attached to it. Since the entire tracking chain relies on your device token being linked back to your Microsoft account, skipping the sign-in breaks that link. Luckily, Microsoft is now making it easier to use a local account after previously pushing users toward mandatory Microsoft account sign-in.
  2. Turn off optional diagnostic data: Windows telemetry has two tiers: a mandatory baseline, such as device health and security-related data, and an optional tier. You can disable optional diagnostic data by going to Settings > Privacy & Security > Diagnostics & Feedback.
  3. Block Advertising ID and personalized ads: Besides GDID, Windows also has its own advertising identifier, which helps show personalized ads inside apps and the Start menu. You can turn this off by visiting Settings > Privacy & Security > Recommendations & Offers. Although this is a narrower fix, it does prevent Microsoft from building an advertising profile tied to your usage.
  4. Disable cloud content search: When you search using the Windows search bar, Windows also sends your search queries to Bing to fetch web results. You can turn this off by visiting Settings > Privacy & Security > Search. Again, this is a narrower fix than disabling telemetry, but it's one less piece of data tied to your GDID.
  5. Use Linux: If you're a high-risk user, such as a whistleblower, domestic abuse survivor, or journalist, consider using Linux instead of Windows. Unlike Windows, Linux does not include tracking telemetry like GDID. Switching to Linux will permanently solve Windows 10's fast-approaching end of support, in case you don't want to be forced into upgrading to Windows 11.
  6. Use the Tor Browser instead of a VPN: Although the best VPNs are highly secure, you're still handing over your data to a company that isn't 100% immune to data breaches or government gag orders. Tor, however, routes your internet traffic through multiple independent relays, so there's no single company that can be legally compelled to hand over records relating to your online activities.

Bottom line

If the fact that GDID could track and log your online activities, even tying them back to your device, wasn't daunting enough, there's also no straightforward way around it. Windows users can only take steps to reduce the amount of data tied to their GDID.

You can reinstall Windows to obtain a new GDID, but once you sign back into your Microsoft account, it could ultimately be linked to your previous identifiers, continuing the identification chain.

As of now, switching to a different operating system, such as Linux, and using sophisticated routing mechanisms like Tor instead of a commercial VPN remain among the strongest privacy-preserving options for privacy-first users.

Fast & Unlimited Protection for All Your Devices
5.0
Editorial Rating
Get Deal
On Surfshark's website
2026 Editors’ Choice
Best Value VPN
VPN
Surfshark
PROMOTION: From $2.49/mo + 3 Months Free
  • Budget-friendly VPN that lets you connect unlimited devices at once, which most VPNs cap at 10 or fewer
  • 4,500+ servers across 100 countries with proven fast speeds, even on distant connections
  • Includes a built-in ad and tracker blocker, so you get cleaner browsing without a separate tool

Author Details
Krishi Chowdhary specializes in digital privacy, cybersecurity, and consumer technology. He has written extensively on online privacy tools and broader cybersecurity topics, including online scams, data breaches, age verification, and emerging digital threats. Krishi believes technology reporting should empower readers, not confuse them, and is committed to making even the most technical subjects easy to understand without compromising on accuracy or depth. His work has appeared in leading technology publications, including CNET, ExpressVPN, and TechRadar, where he has covered topics ranging from cybersecurity incidents and privacy product announcements to artificial intelligence and major technology news

Citations

[1] United States of America vs. Peter Stokes Superseding Complaint