Windows GDID Links VPN Activity Across IP Changes in June 2026 Case

Microsoft’s Global Device Identifier, or GDID, has moved from an obscure Windows data field into a live privacy controversy after appearing in a federal cybercrime complaint unsealed on June 30, 2026. The filing describes a persistent identifier that allowed investigators to correlate one Windows installation across changing IP addresses, VPN infrastructure, Microsoft telemetry, and activity spanning several countries.
The identifier became public in the case against Peter Stokes, a 19-year-old dual US-Estonian citizen accused of participating in the Scattered Spider cybercrime group. As detailed in the Justice Department complaint and subsequently reported by Windows Latest, Microsoft records allegedly helped connect a Windows device to an ngrok account used during a May 2025 intrusion into a luxury jewelry retailer.
Stokes has been charged with conspiracy, cyber intrusion, and fraud offenses, but the allegations have not been proven at trial. The complaint is not evidence of guilt, and he is entitled to the presumption of innocence.

Cybersecurity-themed scene with a hacker, fingerprint-secured laptop, servers, cloud network, and global city maps.A Windows Installation Gets an Identity of Its Own​

According to a Microsoft representative quoted in the federal filing, a GDID is a persistent, device-level identifier intended to uniquely identify an installation of Windows across certain Microsoft services and scenarios. It can represent Windows running on either physical hardware or a virtual machine.
That definition matters because the identifier is attached to the Windows installation rather than to the public IP address currently being used. Routine operating-system updates do not change it, while reinstalling Windows produces a new GDID. One Microsoft user can consequently accumulate multiple identifiers as Windows is reinstalled or used on additional devices.
This is not the same thing as an indestructible hardware fingerprint. A clean installation breaks continuity at the GDID level, although Microsoft may still possess account, activation, device, network, and service records capable of connecting the old and new installations.
Independent reverse engineering has attempted to fill gaps left by Microsoft’s limited consumer documentation. Technical researchers have linked the identifier’s creation and storage to Microsoft account identity components, the Connected Devices Platform, and Microsoft’s device-directory services. Delivery Optimization reporting also contains a field named GlobalDeviceId, which Microsoft’s enterprise documentation describes simply as an identifier used internally.
The exact data paths remain less transparent than the identifier’s definition in the court filing. Some researchers report that a GDID can be issued or transmitted even without an actively connected Microsoft account, while other descriptions emphasize account-backed device registration. Microsoft has not provided ordinary Windows users with a clear control panel explaining when a GDID is created, which components submit it, or how long associated records are retained.
That lack of clarity is the core privacy problem. A durable operating-system identifier is substantially more revealing when Microsoft can correlate it with timestamps, IP history, service activity, and URLs.

The VPN Changed the Address, Not the Device​

The federal complaint describes an intrusion into an unnamed luxury jewelry retailer between May 12 and May 15, 2025. Prosecutors allege that the attackers exfiltrated company data and demanded approximately $8 million in cryptocurrency, although the retailer paid no ransom and successfully removed the intruders from its network.
An ngrok account allegedly used to maintain access to the retailer was created on May 12 at 19:21 UTC from an IP address operated by Tzulo and assigned to a VPN proxy service. The address alone did not identify the person sitting behind the connection.
Microsoft’s records supplied the more durable pivot. According to the complaint, a device carrying a specific GDID accessed the ngrok signup page at the same minute the account was created. Just over three hours later, the same identified Windows installation allegedly visited the retailer’s website through that VPN address.
Investigators did not treat the GDID as a standalone identity card. They compared the device’s IP history with records from Snapchat, Facebook, Apple, Google, Ubisoft, ngrok, Teleport, travel authorities, hotels, and other providers.
The complaint says the GDID appeared from an address in Tallinn, Estonia, on a day when accounts attributed to Stokes used the same address. It was later associated with addresses in New York and Thailand that aligned with travel records and social-media posts. A visit to the Empire Hotel website was also compared with images allegedly sent from a matching hotel room.
This distinction is important amid claims that Windows telemetry single-handedly defeated a VPN. A VPN can conceal a subscriber’s home IP address from websites and replace it with the VPN server’s address, but it does not automatically prevent applications or operating-system services from sending persistent identifiers to their own providers.
In this case, the GDID reportedly let investigators ask a different question. Instead of determining who owned each changing IP address, they could examine where the same Windows installation appeared over time and then correlate those appearances with identifiable accounts.

The Filing Reveals Correlation Power, Not Universal Browsing History​

The complaint states that Microsoft records associated the GDID with visits to specific web pages, including the ngrok signup page, the victim’s site, a hotel site, and a Growtopia login URL. That deserves scrutiny, but it does not establish that Microsoft receives or retains every URL visited by every Windows PC.
Several Windows and Microsoft security features can process addresses for legitimate purposes. Microsoft Defender SmartScreen, reputation checks, cloud security services, browser synchronization, online identity systems, and optional diagnostic configurations can all create records involving domains or URLs under particular conditions.
The filing does not provide a complete technical explanation of which Windows component generated each record. It also does not say whether every record came from one telemetry channel, from multiple Microsoft services, or from targeted security monitoring connected to an existing investigation.
Microsoft had previously submitted cybercrime referrals concerning activity allegedly associated with Stokes. The complaint explains that Microsoft security researchers can examine machine identifiers, IP addresses, malware samples, and online-service telemetry while investigating sophisticated threat groups. The data cited in this case may therefore reflect a combination of standard platform records and Microsoft’s threat-intelligence work rather than a single universal Windows browsing log.
That uncertainty should prevent two opposite conclusions. It is premature to claim that Windows continuously uploads everyone’s complete browsing history, but it is equally difficult to dismiss the privacy implications when a persistent installation identifier can be joined with detailed network and service records.

Privacy Controls Do Not Offer a GDID Off Switch​

Windows users can reduce some data collection through Settings under Privacy & security, particularly by disabling optional diagnostic data, tailored experiences, advertising personalization, activity-related features, and cloud-backed search options they do not need. Using a local account can also reduce direct account correlation, although current technical findings do not establish that it prevents all device registration.
Organizations have more control through Group Policy, mobile-device management, firewall policy, and Windows diagnostic-data settings. Administrators can restrict Delivery Optimization peer behavior and review Microsoft endpoint traffic, but they should not disable Connected Devices Platform or Delivery Optimization services blindly. Those components support Windows Update delivery, Microsoft Store content, cross-device functions, and other managed Windows scenarios.
Most importantly, turning off optional telemetry is not documented as deleting or disabling the GDID. Removing a locally visible registry value may also be ineffective if the authoritative identity is held by Microsoft’s services and Windows can request or restore it later.
A clean Windows installation generates another GDID, according to the complaint, but reinstalling solely to rotate the identifier is not a practical privacy control. Signing into the same accounts and services may quickly rebuild the surrounding associations even if the installation-level value changes.
The actionable issue for Microsoft is therefore not whether device identifiers have legitimate engineering purposes. Windows activation, software distribution, fraud prevention, account security, device synchronization, and threat detection all require ways to distinguish one installation from another.
The problem is that Windows offers users no comparably clear explanation of the GDID’s scope, retention, service relationships, or law-enforcement disclosure. The newly unsealed case demonstrates that the identifier can become a powerful forensic link long after an IP address changes. Microsoft now faces pressure to document that capability in terms intended for Windows customers, not merely investigators and enterprise telemetry schemas.

References​

  1. Primary source: Windows Report
    Published: 2026-07-13T12:40:38+00:00
  2. Related coverage: tomshardware.com
  3. Related coverage: archive.ph
  4. Related coverage: xela.au
  5. Related coverage: windowsforum.com
  6. Related coverage: secure.com
 

Back
Top