Windows 11 uses a persistent Global Device Identifier to distinguish individual installations across certain Microsoft services. The identifier cannot be fully disabled, although users can reduce related data collection through local accounts, diagnostic controls, advertising settings and cloud search options.

Microsoft’s Windows 11 Tracker Stays On Even After Privacy Changes

The420 Correspondent
3 Min Read

Microsoft’s Windows operating system uses a persistent device-level identifier known as the Global Device Identifier, or GDID, which can identify a Windows installation across certain Microsoft services and scenarios. According to Windows Latest, the identifier has no direct off switch and became publicly documented through a federal complaint involving an alleged member of the Scattered Spider hacking group.

GDID Assigned to Windows Installations

The report states that Microsoft automatically assigns a GDID when Windows is installed or when a user signs into a Microsoft account. It describes the identifier as a permanent digital fingerprint linked to a specific Windows installation on a physical device or virtual machine.

India’s Largest Cybercrime Conference Nears: FutureCrime Summit 2026 Set for 6–7 August at Bharat Mandapam

GDID is used for functions including software licensing and Windows Store applications. It survives routine Windows updates but changes after a clean reinstall. The report notes that one Microsoft account may have multiple GDIDs over time.

Windows Latest says the identifier originates through the Microsoft Account service. When a device is provisioned against a Microsoft account, Windows receives a Device PUID from Microsoft’s servers and stores it locally. Background services then use the identifier for functions including Phone Link, cloud clipboard, Nearby Share and Delivery Optimization reporting.

FBI Used Identifier to Connect Device Activity

The report highlights a United States federal complaint involving Peter Stokes, an alleged member of the Scattered Spider hacking group. Investigators reportedly used Microsoft records to trace the same Windows device across VPNs, proxy servers and several countries.

According to the article, Microsoft records showed that a device carrying a specific GDID visited an online service at the same time an account connected to the alleged attack was created. Investigators later matched the same identifier with IP addresses and account activity linked to Stokes in Estonia, New York and Thailand.

The report says the repeated appearance of the same GDID allowed investigators to connect activity that otherwise appeared separate because the device continued to use different internet addresses.

Settings Can Reduce Data Collection

Windows Latest reports that reinstalling Windows creates a new GDID, but signing back into the same Microsoft account may allow Microsoft to connect the new installation with earlier activity through account, OneDrive and activation records.

The article recommends using a local account instead of a Microsoft account, disabling optional diagnostic data, turning off personalised advertising and application launch tracking, and disabling Cloud Content Search.

It states that these measures can limit some information collected or transmitted by Windows services, but they do not remove the underlying identifier.

About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.

Stay Connected